il y a 5 ans · 98f8bf1970
--- a/apis/externalsecrets/v1alpha1/secretstore_awssm_types.go
+++ b/apis/externalsecrets/v1alpha1/secretstore_awssm_types.go
@@ -18,24 +18,28 @@ import (
 
				 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
			
 
				 )
			
 
				 
			
 
				+// AWSSMAuth contains a secretRef for credentials.
			
 
				 type AWSSMAuth struct {
			
 
				 	SecretRef AWSSMAuthSecretRef `json:"secretRef"`
			
 
				 }
			
 
				 
			
 
				+// AWSSMAuthSecretRef holds secret references for aws credentials
			
 
				+// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
			
 
				 type AWSSMAuthSecretRef struct {
			
 
				 	// The AccessKeyID is used for authentication
			
 
				-	// +optional
			
 
				 	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
			
 
				 
			
 
				 	// The SecretAccessKey is used for authentication
			
 
				-	// +optional
			
 
				 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
			
 
				 }
			
 
				 
			
 
				-// Configures a store to sync secrets using the AWS Secret Manager provider.
			
 
				+// AWSSMProvider configures a store to sync secrets using the AWS Secret Manager provider.
			
 
				 type AWSSMProvider struct {
			
 
				 	// Auth defines the information necessary to authenticate against AWS
			
 
				-	Auth AWSSMAuth `json:"auth"`
			
 
				+	// if not set aws sdk will infer credentials from your environment
			
 
				+	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
			
 
				+	// +nullable
			
 
				+	Auth *AWSSMAuth `json:"auth"`
			
 
				 
			
 
				 	// Role is a Role ARN which the SecretManager provider will assume
			
 
				 	// +optional
			
--- a/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go
@@ -58,7 +58,11 @@ func (in *AWSSMAuthSecretRef) DeepCopy() *AWSSMAuthSecretRef {
 
				 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
			
 
				 func (in *AWSSMProvider) DeepCopyInto(out *AWSSMProvider) {
			
 
				 	*out = *in
			
 
				-	in.Auth.DeepCopyInto(&out.Auth)
			
 
				+	if in.Auth != nil {
			
 
				+		in, out := &in.Auth, &out.Auth
			
 
				+		*out = new(AWSSMAuth)
			
 
				+		(*in).DeepCopyInto(*out)
			
 
				+	}
			
 
				 }
			
 
				 
			
 
				 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSSMProvider.
			
--- a/config/crd/bases/external-secrets.io_clustersecretstores.yaml
+++ b/config/crd/bases/external-secrets.io_clustersecretstores.yaml
@@ -59,10 +59,15 @@ spec:
 
				                       AWS Secret Manager provider
			
 
				                     properties:
			
 
				                       auth:
			
 
				-                        description: Auth defines the information necessary to authenticate
			
 
				-                          against AWS
			
 
				+                        description: 'Auth defines the information necessary to authenticate
			
 
				+                          against AWS if not set aws sdk will infer credentials from
			
 
				+                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
			
 
				+                        nullable: true
			
 
				                         properties:
			
 
				                           secretRef:
			
 
				+                            description: AWSSMAuthSecretRef holds secret references
			
 
				+                              for aws credentials both AccessKeyID and SecretAccessKey
			
 
				+                              must be defined in order to properly authenticate.
			
 
				                             properties:
			
 
				                               accessKeyIDSecretRef:
			
 
				                                 description: The AccessKeyID is used for authentication
			
--- a/config/crd/bases/external-secrets.io_secretstores.yaml
+++ b/config/crd/bases/external-secrets.io_secretstores.yaml
@@ -59,10 +59,15 @@ spec:
 
				                       AWS Secret Manager provider
			
 
				                     properties:
			
 
				                       auth:
			
 
				-                        description: Auth defines the information necessary to authenticate
			
 
				-                          against AWS
			
 
				+                        description: 'Auth defines the information necessary to authenticate
			
 
				+                          against AWS if not set aws sdk will infer credentials from
			
 
				+                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
			
 
				+                        nullable: true
			
 
				                         properties:
			
 
				                           secretRef:
			
 
				+                            description: AWSSMAuthSecretRef holds secret references
			
 
				+                              for aws credentials both AccessKeyID and SecretAccessKey
			
 
				+                              must be defined in order to properly authenticate.
			
 
				                             properties:
			
 
				                               accessKeyIDSecretRef:
			
 
				                                 description: The AccessKeyID is used for authentication
			
--- a/go.mod
+++ b/go.mod
@@ -2,10 +2,38 @@ module github.com/external-secrets/external-secrets
 
				 
			
 
				 go 1.13
			
 
				 
			
 
				+replace (
			
 
				+	k8s.io/api => k8s.io/api v0.20.2
			
 
				+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.2
			
 
				+	k8s.io/apimachinery => k8s.io/apimachinery v0.20.2
			
 
				+	k8s.io/apiserver => k8s.io/apiserver v0.20.2
			
 
				+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.20.2
			
 
				+	k8s.io/client-go => k8s.io/client-go v0.20.2
			
 
				+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.20.2
			
 
				+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.2
			
 
				+	k8s.io/code-generator => k8s.io/code-generator v0.20.2
			
 
				+	k8s.io/component-base => k8s.io/component-base v0.20.2
			
 
				+	k8s.io/component-helpers => k8s.io/component-helpers v0.20.2
			
 
				+	k8s.io/controller-manager => k8s.io/controller-manager v0.20.2
			
 
				+	k8s.io/cri-api => k8s.io/cri-api v0.20.2
			
 
				+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.20.2
			
 
				+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.2
			
 
				+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.20.2
			
 
				+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.20.2
			
 
				+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.20.2
			
 
				+	k8s.io/kubectl => k8s.io/kubectl v0.20.2
			
 
				+	k8s.io/kubelet => k8s.io/kubelet v0.20.2
			
 
				+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.20.2
			
 
				+	k8s.io/metrics => k8s.io/metrics v0.20.2
			
 
				+	k8s.io/mount-utils => k8s.io/mount-utils v0.20.2
			
 
				+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.20.2
			
 
				+)
			
 
				+
			
 
				 require (
			
 
				+	github.com/aws/aws-sdk-go v1.35.24
			
 
				 	github.com/go-logr/logr v0.4.0
			
 
				 	github.com/gogo/protobuf v1.3.2 // indirect
			
 
				-	github.com/google/go-cmp v0.5.4 // indirect
			
 
				+	github.com/google/go-cmp v0.5.4
			
 
				 	github.com/google/gofuzz v1.2.0 // indirect
			
 
				 	github.com/google/uuid v1.2.0 // indirect
			
 
				 	github.com/googleapis/gnostic v0.5.4 // indirect
			
--- a/go.sum
+++ b/go.sum
@@ -69,7 +69,10 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 
				 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
			
 
				 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
			
 
				 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
			
 
				+github.com/aws/aws-sdk-go v1.27.0 h1:0xphMHGMLBrPMfxR2AmVjZKcMEESEgWF8Kru94BNByk=
			
 
				 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
			
 
				+github.com/aws/aws-sdk-go v1.35.24 h1:U3GNTg8+7xSM6OAJ8zksiSM4bRqxBWmVwwehvOSNG3A=
			
 
				+github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k=
			
 
				 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
			
 
				 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
			
 
				 github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
			
@@ -301,7 +304,12 @@ github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA=
 
				 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
			
 
				 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
			
 
				 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
			
 
				+github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
			
 
				 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
			
 
				+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
			
 
				+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
			
 
				+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
			
 
				+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
			
 
				 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
			
 
				 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
			
 
				 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
			
@@ -926,24 +934,16 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 
				 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
			
 
				 honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
			
 
				 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
			
 
				-k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
			
 
				 k8s.io/api v0.20.2 h1:y/HR22XDZY3pniu9hIFDLpUCPq2w5eQ6aV/VFQ7uJMw=
			
 
				 k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
			
 
				-k8s.io/apiextensions-apiserver v0.20.1 h1:ZrXQeslal+6zKM/HjDXLzThlz/vPSxrfK3OqL8txgVQ=
			
 
				-k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk=
			
 
				 k8s.io/apiextensions-apiserver v0.20.2 h1:rfrMWQ87lhd8EzQWRnbQ4gXrniL/yTRBgYH1x1+BLlo=
			
 
				 k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs=
			
 
				-k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
			
 
				 k8s.io/apimachinery v0.20.2 h1:hFx6Sbt1oG0n6DZ+g4bFt5f6BoMkOjKWsQFu077M3Vg=
			
 
				 k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
			
 
				-k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
			
 
				 k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA=
			
 
				-k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
			
 
				 k8s.io/client-go v0.20.2 h1:uuf+iIAbfnCSw8IGAv/Rg0giM+2bOzHLOsbbrwrdhNQ=
			
 
				 k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
			
 
				-k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
			
 
				 k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
			
 
				-k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
			
 
				 k8s.io/component-base v0.20.2 h1:LMmu5I0pLtwjpp5009KLuMGFqSc2S2isGw8t1hpYKLE=
			
 
				 k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0=
			
 
				 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
			
--- a/main.go
+++ b/main.go
@@ -44,8 +44,10 @@ func init() {
 
				 
			
 
				 func main() {
			
 
				 	var metricsAddr string
			
 
				+	var controllerClass string
			
 
				 	var enableLeaderElection bool
			
 
				 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
			
 
				+	flag.StringVar(&controllerClass, "controller-class", "default", "the controller is instantiated with a specific controller name and filters ES based on this property")
			
 
				 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
			
 
				 		"Enable leader election for controller manager. "+
			
 
				 			"Enabling this will ensure there is only one active controller manager.")
			
@@ -66,17 +68,19 @@ func main() {
 
				 	}
			
 
				 
			
 
				 	if err = (&secretstore.Reconciler{
			
 
				-		Client: mgr.GetClient(),
			
 
				-		Log:    ctrl.Log.WithName("controllers").WithName("SecretStore"),
			
 
				-		Scheme: mgr.GetScheme(),
			
 
				+		Client:          mgr.GetClient(),
			
 
				+		Log:             ctrl.Log.WithName("controllers").WithName("SecretStore"),
			
 
				+		Scheme:          mgr.GetScheme(),
			
 
				+		ControllerClass: controllerClass,
			
 
				 	}).SetupWithManager(mgr); err != nil {
			
 
				 		setupLog.Error(err, "unable to create controller", "controller", "SecretStore")
			
 
				 		os.Exit(1)
			
 
				 	}
			
 
				 	if err = (&externalsecret.Reconciler{
			
 
				-		Client: mgr.GetClient(),
			
 
				-		Log:    ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
			
 
				-		Scheme: mgr.GetScheme(),
			
 
				+		Client:          mgr.GetClient(),
			
 
				+		Log:             ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
			
 
				+		Scheme:          mgr.GetScheme(),
			
 
				+		ControllerClass: controllerClass,
			
 
				 	}).SetupWithManager(mgr); err != nil {
			
 
				 		setupLog.Error(err, "unable to create controller", "controller", "ExternalSecret")
			
 
				 		os.Exit(1)
			
--- a/pkg/controllers/externalsecret/externalsecret_controller.go
+++ b/pkg/controllers/externalsecret/externalsecret_controller.go
@@ -44,8 +44,9 @@ const (
 
				 // ExternalSecretReconciler reconciles a ExternalSecret object.
			
 
				 type Reconciler struct {
			
 
				 	client.Client
			
 
				-	Log    logr.Logger
			
 
				-	Scheme *runtime.Scheme
			
 
				+	Log             logr.Logger
			
 
				+	Scheme          *runtime.Scheme
			
 
				+	ControllerClass string
			
 
				 }
			
 
				 
			
 
				 // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets,verbs=get;list;watch;create;update;patch;delete
			
@@ -77,6 +78,12 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
				 
			
 
				 	log = log.WithValues("SecretStore", store.GetNamespacedName())
			
 
				 
			
 
				+	// check if store should be handled by this controller instance
			
 
				+	if !r.shouldProcessStore(store) {
			
 
				+		log.Info("skippig unmanaged store")
			
 
				+		return ctrl.Result{}, nil
			
 
				+	}
			
 
				+
			
 
				 	storeProvider, err := schema.GetProvider(store)
			
 
				 	if err != nil {
			
 
				 		log.Error(err, "could not get store provider")
			
@@ -127,6 +134,13 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
				 	return ctrl.Result{}, nil
			
 
				 }
			
 
				 
			
 
				+func (r *Reconciler) shouldProcessStore(store esv1alpha1.GenericStore) bool {
			
 
				+	if store.GetSpec().Controller == "" || store.GetSpec().Controller != r.ControllerClass {
			
 
				+		return true
			
 
				+	}
			
 
				+	return false
			
 
				+}
			
 
				+
			
 
				 func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) {
			
 
				 	// TODO: Implement getting ClusterSecretStore
			
 
				 	var secretStore esv1alpha1.SecretStore
			
--- a/pkg/controllers/secretstore/secretstore_controller.go
+++ b/pkg/controllers/secretstore/secretstore_controller.go
@@ -28,8 +28,9 @@ import (
 
				 // Reconciler reconciles a SecretStore object.
			
 
				 type Reconciler struct {
			
 
				 	client.Client
			
 
				-	Log    logr.Logger
			
 
				-	Scheme *runtime.Scheme
			
 
				+	Log             logr.Logger
			
 
				+	Scheme          *runtime.Scheme
			
 
				+	ControllerClass string
			
 
				 }
			
 
				 
			
 
				 // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores,verbs=get;list;watch;create;update;patch;delete
			
--- a/pkg/provider/aws/provider.go
+++ b/pkg/provider/aws/provider.go
@@ -0,0 +1,57 @@
 
				+package aws
			
 
				+
			
 
				+import (
			
 
				+	"fmt"
			
 
				+
			
 
				+	"github.com/aws/aws-sdk-go/aws"
			
 
				+	"github.com/aws/aws-sdk-go/aws/credentials"
			
 
				+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
			
 
				+	"github.com/aws/aws-sdk-go/aws/request"
			
 
				+	"github.com/aws/aws-sdk-go/aws/session"
			
 
				+	"github.com/aws/aws-sdk-go/service/sts"
			
 
				+	ctrl "sigs.k8s.io/controller-runtime"
			
 
				+)
			
 
				+
			
 
				+// Config contains configuration to create a new AWS provider.
			
 
				+type Config struct {
			
 
				+	AssumeRole string
			
 
				+	Region     string
			
 
				+	APIRetries int
			
 
				+}
			
 
				+
			
 
				+var log = ctrl.Log.WithName("provider").WithName("aws")
			
 
				+
			
 
				+// NewSession creates a new aws session based on the supported input methods.
			
 
				+// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
			
 
				+func NewSession(sak, aks, region, role string, stsprovider STSProvider) (*session.Session, error) {
			
 
				+	config := aws.NewConfig()
			
 
				+	sessionOpts := session.Options{
			
 
				+		Config: *config,
			
 
				+	}
			
 
				+	if sak != "" && aks != "" {
			
 
				+		sessionOpts.Config.Credentials = credentials.NewStaticCredentials(aks, sak, "")
			
 
				+		sessionOpts.SharedConfigState = session.SharedConfigDisable
			
 
				+	}
			
 
				+	sess, err := session.NewSessionWithOptions(sessionOpts)
			
 
				+	if err != nil {
			
 
				+		return nil, fmt.Errorf("unable to create aws session: %w", err)
			
 
				+	}
			
 
				+	if region != "" {
			
 
				+		log.V(1).Info("using region", "region", region)
			
 
				+		sess.Config.WithRegion(region)
			
 
				+	}
			
 
				+
			
 
				+	if role != "" {
			
 
				+		log.V(1).Info("assuming role", "role", role)
			
 
				+		stsclient := stsprovider(sess)
			
 
				+		sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, role))
			
 
				+	}
			
 
				+	sess.Handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets"))
			
 
				+	return sess, nil
			
 
				+}
			
 
				+
			
 
				+type STSProvider func(*session.Session) stscreds.AssumeRoler
			
 
				+
			
 
				+func DefaultSTSProvider(sess *session.Session) stscreds.AssumeRoler {
			
 
				+	return sts.New(sess)
			
 
				+}
			
--- a/pkg/provider/aws/secretsmanager/secretsmanager.go
+++ b/pkg/provider/aws/secretsmanager/secretsmanager.go
@@ -15,32 +15,145 @@ package secretsmanager
 
				 
			
 
				 import (
			
 
				 	"context"
			
 
				+	"encoding/json"
			
 
				+	"fmt"
			
 
				 
			
 
				+	"github.com/aws/aws-sdk-go/aws/session"
			
 
				+	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
			
 
				+	v1 "k8s.io/api/core/v1"
			
 
				+	ctrl "sigs.k8s.io/controller-runtime"
			
 
				 	"sigs.k8s.io/controller-runtime/pkg/client"
			
 
				 
			
 
				 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
			
 
				 	"github.com/external-secrets/external-secrets/pkg/provider"
			
 
				+	"github.com/external-secrets/external-secrets/pkg/provider/aws"
			
 
				 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
			
 
				 )
			
 
				 
			
 
				 // SecretsManager is a provider for AWS SecretsManager.
			
 
				-type SecretsManager struct{}
			
 
				+type SecretsManager struct {
			
 
				+	session     *session.Session
			
 
				+	stsProvider aws.STSProvider
			
 
				+	client      SMInterface
			
 
				+}
			
 
				+
			
 
				+// SMInterface is a subset of the smiface api.
			
 
				+// see" https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/secretsmanageriface/
			
 
				+type SMInterface interface {
			
 
				+	GetSecretValue(*awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error)
			
 
				+}
			
 
				 
			
 
				-// New constructs a SecretsManager Provider.
			
 
				+var log = ctrl.Log.WithName("provider").WithName("aws").WithName("secretsmanager")
			
 
				+
			
 
				+// New constructs a SecretsManager Provider that is specific to a store.
			
 
				 func (sm *SecretsManager) New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.Provider, error) {
			
 
				-	return sm, nil // stub
			
 
				+	spc := store.GetSpec().Provider.AWSSM
			
 
				+	if spc == nil {
			
 
				+		return nil, fmt.Errorf("invalid provider spec. Missing AWSSM field in store %s", store.GetObjectMeta().String())
			
 
				+	}
			
 
				+	var sak, aks string
			
 
				+	// use provided credentials via secret reference
			
 
				+	if spc.Auth != nil {
			
 
				+		log.V(1).Info("fetching secrets for authentication")
			
 
				+		ke := client.ObjectKey{
			
 
				+			Name:      spc.Auth.SecretRef.AccessKeyID.Key,
			
 
				+			Namespace: namespace, // default to ExternalSecret namespace
			
 
				+		}
			
 
				+		// ClusterStore must set namespace
			
 
				+		if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
			
 
				+			if spc.Auth.SecretRef.AccessKeyID.Namespace == nil {
			
 
				+				return nil, fmt.Errorf("invalid ClusterSecretStore: missing AWSSM AccessKeyID Namespace")
			
 
				+			}
			
 
				+			ke.Namespace = *spc.Auth.SecretRef.AccessKeyID.Namespace
			
 
				+		}
			
 
				+		akSecret := v1.Secret{}
			
 
				+		err := kube.Get(ctx, ke, &akSecret)
			
 
				+		if err != nil {
			
 
				+			return nil, fmt.Errorf("could not fetch accessKeyID secret: %w", err)
			
 
				+		}
			
 
				+		ke = client.ObjectKey{
			
 
				+			Name:      spc.Auth.SecretRef.SecretAccessKey.Key,
			
 
				+			Namespace: namespace, // default to ExternalSecret namespace
			
 
				+		}
			
 
				+		// ClusterStore must set namespace
			
 
				+		if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
			
 
				+			if spc.Auth.SecretRef.SecretAccessKey.Namespace == nil {
			
 
				+				return nil, fmt.Errorf("invalid ClusterSecretStore: missing AWSSM SecretAccessKey Namespace")
			
 
				+			}
			
 
				+			ke.Namespace = *spc.Auth.SecretRef.SecretAccessKey.Namespace
			
 
				+		}
			
 
				+		sakSecret := v1.Secret{}
			
 
				+		err = kube.Get(ctx, ke, &sakSecret)
			
 
				+		if err != nil {
			
 
				+			return nil, fmt.Errorf("could not fetch SecretAccessKey secret: %w", err)
			
 
				+		}
			
 
				+		sak = string(sakSecret.Data[spc.Auth.SecretRef.SecretAccessKey.Key])
			
 
				+		aks = string(akSecret.Data[spc.Auth.SecretRef.AccessKeyID.Key])
			
 
				+		if sak == "" {
			
 
				+			return nil, fmt.Errorf("missing SecretAccessKey")
			
 
				+		}
			
 
				+		if aks == "" {
			
 
				+			return nil, fmt.Errorf("missing AccessKeyID")
			
 
				+		}
			
 
				+	}
			
 
				+	if sm.stsProvider == nil {
			
 
				+		sm.stsProvider = aws.DefaultSTSProvider
			
 
				+	}
			
 
				+	sess, err := aws.NewSession(sak, aks, spc.Region, spc.Role, sm.stsProvider)
			
 
				+	if err != nil {
			
 
				+		return nil, err
			
 
				+	}
			
 
				+	sm.session = sess
			
 
				+	sm.client = awssm.New(sess)
			
 
				+	return sm, nil
			
 
				 }
			
 
				 
			
 
				 // GetSecret returns a single secret from the provider.
			
 
				 func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
			
 
				-	return []byte("NOOP"), nil
			
 
				+	ver := "AWSCURRENT"
			
 
				+	if ref.Version != "" {
			
 
				+		ver = ref.Version
			
 
				+	}
			
 
				+	log.Info("fetching secret value", "key", ref.Key, "version", ver)
			
 
				+	secretOut, err := sm.client.GetSecretValue(&awssm.GetSecretValueInput{
			
 
				+		SecretId:     &ref.Key,
			
 
				+		VersionStage: &ver,
			
 
				+	})
			
 
				+	if err != nil {
			
 
				+		return nil, err
			
 
				+	}
			
 
				+	if ref.Property == "" {
			
 
				+		return []byte(*secretOut.SecretString), nil
			
 
				+	}
			
 
				+	kv := make(map[string]string)
			
 
				+	err = json.Unmarshal([]byte(*secretOut.SecretString), &kv)
			
 
				+	if err != nil {
			
 
				+		return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
			
 
				+	}
			
 
				+	val, ok := kv[ref.Property]
			
 
				+	if !ok {
			
 
				+		return nil, fmt.Errorf("secret %s has no property %s", ref.Key, ref.Property)
			
 
				+	}
			
 
				+	return []byte(val), nil
			
 
				 }
			
 
				 
			
 
				 // GetSecretMap returns multiple k/v pairs from the provider.
			
 
				 func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
			
 
				-	return map[string][]byte{
			
 
				-		"noop": []byte("NOOP"),
			
 
				-	}, nil
			
 
				+	log.Info("fetching secret map", "key", ref.Key)
			
 
				+	data, err := sm.GetSecret(ctx, ref)
			
 
				+	if err != nil {
			
 
				+		return nil, err
			
 
				+	}
			
 
				+	kv := make(map[string]string)
			
 
				+	err = json.Unmarshal(data, &kv)
			
 
				+	if err != nil {
			
 
				+		return nil, fmt.Errorf("unable to unmarshal secret %s: %w", ref.Key, err)
			
 
				+	}
			
 
				+	secretData := make(map[string][]byte)
			
 
				+	for k, v := range kv {
			
 
				+		secretData[k] = []byte(v)
			
 
				+	}
			
 
				+	return secretData, nil
			
 
				 }
			
 
				 
			
 
				 func init() {
			
--- a/pkg/provider/aws/secretsmanager/secretsmanager_test.go
+++ b/pkg/provider/aws/secretsmanager/secretsmanager_test.go
@@ -1 +1,332 @@
 
				 package secretsmanager
			
 
				+
			
 
				+import (
			
 
				+	"context"
			
 
				+	"fmt"
			
 
				+	"os"
			
 
				+	"strings"
			
 
				+	"time"
			
 
				+
			
 
				+	"github.com/aws/aws-sdk-go/aws"
			
 
				+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
			
 
				+	"github.com/aws/aws-sdk-go/aws/session"
			
 
				+	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
			
 
				+	"github.com/aws/aws-sdk-go/service/sts"
			
 
				+	"github.com/google/go-cmp/cmp"
			
 
				+	. "github.com/onsi/ginkgo"
			
 
				+	. "github.com/onsi/gomega"
			
 
				+
			
 
				+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
			
 
				+)
			
 
				+
			
 
				+var _ = Describe("SSM", func() {
			
 
				+
			
 
				+	It("Should create an Client using environment variables", func() {
			
 
				+		sm := &SecretsManager{}
			
 
				+		os.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
			
 
				+		os.Setenv("AWS_ACCESS_KEY_ID", "2222")
			
 
				+		defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
			
 
				+		defer os.Unsetenv("AWS_ACCESS_KEY_ID")
			
 
				+		smi, err := sm.New(context.Background(), &esv1alpha1.SecretStore{
			
 
				+			Spec: esv1alpha1.SecretStoreSpec{
			
 
				+				Provider: &esv1alpha1.SecretStoreProvider{
			
 
				+					// defaults
			
 
				+					AWSSM: &esv1alpha1.AWSSMProvider{},
			
 
				+				},
			
 
				+			},
			
 
				+		}, k8sClient, "example-ns")
			
 
				+		Expect(err).ToNot(HaveOccurred())
			
 
				+		Expect(smi).ToNot(BeNil())
			
 
				+
			
 
				+		creds, err := sm.session.Config.Credentials.Get()
			
 
				+		Expect(err).ToNot(HaveOccurred())
			
 
				+		Expect(creds.AccessKeyID).To(Equal("2222"))
			
 
				+		Expect(creds.SecretAccessKey).To(Equal("1111"))
			
 
				+	})
			
 
				+
			
 
				+	It("Should create an Client using environment variables and assume a role", func() {
			
 
				+		sts := &FakeSTS{
			
 
				+			AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
			
 
				+				Expect(*input.RoleArn).To(Equal("my-awesome-role"))
			
 
				+				return &sts.AssumeRoleOutput{
			
 
				+					AssumedRoleUser: &sts.AssumedRoleUser{
			
 
				+						Arn:           aws.String("1123132"),
			
 
				+						AssumedRoleId: aws.String("xxxxx"),
			
 
				+					},
			
 
				+					Credentials: &sts.Credentials{
			
 
				+						AccessKeyId:     aws.String("3333"),
			
 
				+						SecretAccessKey: aws.String("4444"),
			
 
				+						Expiration:      aws.Time(time.Now().Add(time.Hour)),
			
 
				+						SessionToken:    aws.String("6666"),
			
 
				+					},
			
 
				+				}, nil
			
 
				+			},
			
 
				+		}
			
 
				+		sm := &SecretsManager{
			
 
				+			stsProvider: func(se *session.Session) stscreds.AssumeRoler {
			
 
				+				// check if the correct temporary credentials were used
			
 
				+				creds, err := se.Config.Credentials.Get()
			
 
				+				Expect(err).ToNot(HaveOccurred())
			
 
				+				Expect(creds.AccessKeyID).To(Equal("2222"))
			
 
				+				Expect(creds.SecretAccessKey).To(Equal("1111"))
			
 
				+				return sts
			
 
				+			},
			
 
				+		}
			
 
				+		os.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
			
 
				+		os.Setenv("AWS_ACCESS_KEY_ID", "2222")
			
 
				+		defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
			
 
				+		defer os.Unsetenv("AWS_ACCESS_KEY_ID")
			
 
				+		smi, err := sm.New(context.Background(), &esv1alpha1.SecretStore{
			
 
				+			Spec: esv1alpha1.SecretStoreSpec{
			
 
				+				Provider: &esv1alpha1.SecretStoreProvider{
			
 
				+					// do assume role!
			
 
				+					AWSSM: &esv1alpha1.AWSSMProvider{
			
 
				+						Role: "my-awesome-role",
			
 
				+					},
			
 
				+				},
			
 
				+			},
			
 
				+		}, k8sClient, "example-ns")
			
 
				+		Expect(err).ToNot(HaveOccurred())
			
 
				+		Expect(smi).ToNot(BeNil())
			
 
				+
			
 
				+		creds, err := sm.session.Config.Credentials.Get()
			
 
				+		Expect(err).ToNot(HaveOccurred())
			
 
				+		Expect(creds.AccessKeyID).To(Equal("3333"))
			
 
				+		Expect(creds.SecretAccessKey).To(Equal("4444"))
			
 
				+	})
			
 
				+
			
 
				+	It("GetSecret should return the correct values", func() {
			
 
				+		fake := &FakeSM{}
			
 
				+		p := &SecretsManager{
			
 
				+			client: fake,
			
 
				+		}
			
 
				+		for i, row := range []struct {
			
 
				+			apiInput       *awssm.GetSecretValueInput
			
 
				+			apiOutput      *awssm.GetSecretValueOutput
			
 
				+			rr             esv1alpha1.ExternalSecretDataRemoteRef
			
 
				+			apiErr         error
			
 
				+			expectError    string
			
 
				+			expectedSecret string
			
 
				+		}{
			
 
				+			{
			
 
				+				// good case: default version is set
			
 
				+				// key is passed in, output is sent back
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key: "/baz",
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String("RRRRR"),
			
 
				+				},
			
 
				+				apiErr:         nil,
			
 
				+				expectError:    "",
			
 
				+				expectedSecret: "RRRRR",
			
 
				+			},
			
 
				+			{
			
 
				+				// good case: extract property
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key:      "/baz",
			
 
				+					Property: "/shmoo",
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String(`{"/shmoo": "bang"}`),
			
 
				+				},
			
 
				+				apiErr:         nil,
			
 
				+				expectError:    "",
			
 
				+				expectedSecret: "bang",
			
 
				+			},
			
 
				+			{
			
 
				+				// bad case: missing property
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key:      "/baz",
			
 
				+					Property: "DOES NOT EXIST",
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String(`{"/shmoo": "bang"}`),
			
 
				+				},
			
 
				+				apiErr:         nil,
			
 
				+				expectError:    "has no property",
			
 
				+				expectedSecret: "",
			
 
				+			},
			
 
				+			{
			
 
				+				// bad case: extract property failure due to invalid json
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key:      "/baz",
			
 
				+					Property: "/shmoo",
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String(`------`),
			
 
				+				},
			
 
				+				apiErr:         nil,
			
 
				+				expectError:    "unable to unmarshal secret",
			
 
				+				expectedSecret: "",
			
 
				+			},
			
 
				+			{
			
 
				+				// should pass version
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/foo/bar"),
			
 
				+					VersionStage: aws.String("1234"),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key:     "/foo/bar",
			
 
				+					Version: "1234",
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String("FOOBA!"),
			
 
				+				},
			
 
				+				apiErr:         nil,
			
 
				+				expectError:    "",
			
 
				+				expectedSecret: "FOOBA!",
			
 
				+			},
			
 
				+			{
			
 
				+				// should return err
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/foo/bar"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key: "/foo/bar",
			
 
				+				},
			
 
				+				apiOutput:   &awssm.GetSecretValueOutput{},
			
 
				+				apiErr:      fmt.Errorf("oh no"),
			
 
				+				expectError: "oh no",
			
 
				+			},
			
 
				+		} {
			
 
				+			fake.WithValue(row.apiInput, row.apiOutput, row.apiErr)
			
 
				+			out, err := p.GetSecret(context.Background(), row.rr)
			
 
				+			if !ErrorContains(err, row.expectError) {
			
 
				+				GinkgoT().Errorf("[%d] unexpected error: %s, expected: '%s'", i, err.Error(), row.expectError)
			
 
				+			}
			
 
				+			if string(out) != row.expectedSecret {
			
 
				+				GinkgoT().Errorf("[%d] unexpected secret: expected %s, got %s", i, row.expectedSecret, string(out))
			
 
				+			}
			
 
				+		}
			
 
				+	})
			
 
				+
			
 
				+	It("GetSecretMap should return correct values", func() {
			
 
				+		fake := &FakeSM{}
			
 
				+		p := &SecretsManager{
			
 
				+			client: fake,
			
 
				+		}
			
 
				+		for i, row := range []struct {
			
 
				+			apiInput     *awssm.GetSecretValueInput
			
 
				+			apiOutput    *awssm.GetSecretValueOutput
			
 
				+			rr           esv1alpha1.ExternalSecretDataRemoteRef
			
 
				+			expectedData map[string]string
			
 
				+			apiErr       error
			
 
				+			expectError  string
			
 
				+		}{
			
 
				+			{
			
 
				+				// good case: default version & deserialization
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String(`{"foo":"bar"}`),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key: "/baz",
			
 
				+				},
			
 
				+				expectedData: map[string]string{
			
 
				+					"foo": "bar",
			
 
				+				},
			
 
				+				apiErr:      nil,
			
 
				+				expectError: "",
			
 
				+			},
			
 
				+			{
			
 
				+				// bad case: api error returned
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String(`{"foo":"bar"}`),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key: "/baz",
			
 
				+				},
			
 
				+				expectedData: map[string]string{
			
 
				+					"foo": "bar",
			
 
				+				},
			
 
				+				apiErr:      fmt.Errorf("some api err"),
			
 
				+				expectError: "some api err",
			
 
				+			},
			
 
				+			{
			
 
				+				// bad case: invalid json
			
 
				+				apiInput: &awssm.GetSecretValueInput{
			
 
				+					SecretId:     aws.String("/baz"),
			
 
				+					VersionStage: aws.String("AWSCURRENT"),
			
 
				+				},
			
 
				+				apiOutput: &awssm.GetSecretValueOutput{
			
 
				+					SecretString: aws.String(`-----------------`),
			
 
				+				},
			
 
				+				rr: esv1alpha1.ExternalSecretDataRemoteRef{
			
 
				+					Key: "/baz",
			
 
				+				},
			
 
				+				expectedData: map[string]string{},
			
 
				+				apiErr:       nil,
			
 
				+				expectError:  "unable to unmarshal secret",
			
 
				+			},
			
 
				+		} {
			
 
				+			fake.WithValue(row.apiInput, row.apiOutput, row.apiErr)
			
 
				+			out, err := p.GetSecretMap(context.Background(), row.rr)
			
 
				+			if !ErrorContains(err, row.expectError) {
			
 
				+				GinkgoT().Errorf("[%d] unexpected error: %s, expected: '%s'", i, err.Error(), row.expectError)
			
 
				+			}
			
 
				+			if cmp.Equal(out, row.expectedData) {
			
 
				+				GinkgoT().Errorf("[%d] unexpected secret data: expected %#v, got %#v", i, row.expectedData, out)
			
 
				+			}
			
 
				+		}
			
 
				+	})
			
 
				+})
			
 
				+
			
 
				+func ErrorContains(out error, want string) bool {
			
 
				+	if out == nil {
			
 
				+		return want == ""
			
 
				+	}
			
 
				+	if want == "" {
			
 
				+		return false
			
 
				+	}
			
 
				+	return strings.Contains(out.Error(), want)
			
 
				+}
			
 
				+
			
 
				+type FakeSM struct {
			
 
				+	valFn func(*awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error)
			
 
				+}
			
 
				+
			
 
				+func (sm *FakeSM) GetSecretValue(in *awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error) {
			
 
				+	return sm.valFn(in)
			
 
				+}
			
 
				+
			
 
				+func (sm *FakeSM) WithValue(in *awssm.GetSecretValueInput, val *awssm.GetSecretValueOutput, err error) {
			
 
				+	sm.valFn = func(paramIn *awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error) {
			
 
				+		if !cmp.Equal(paramIn, in) {
			
 
				+			return nil, fmt.Errorf("unexpected test argument")
			
 
				+		}
			
 
				+		return val, err
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				+type FakeSTS struct {
			
 
				+	AssumeRoleFunc func(*sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
			
 
				+}
			
 
				+
			
 
				+func (f *FakeSTS) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
			
 
				+	return f.AssumeRoleFunc(input)
			
 
				+}
			
--- a/pkg/provider/aws/secretsmanager/suite_test.go
+++ b/pkg/provider/aws/secretsmanager/suite_test.go
@@ -0,0 +1,75 @@
 
				+/*
			
 
				+Licensed under the Apache License, Version 2.0 (the "License");
			
 
				+you may not use this file except in compliance with the License.
			
 
				+You may obtain a copy of the License at
			
 
				+
			
 
				+    http://www.apache.org/licenses/LICENSE-2.0
			
 
				+
			
 
				+Unless required by applicable law or agreed to in writing, software
			
 
				+distributed under the License is distributed on an "AS IS" BASIS,
			
 
				+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				+See the License for the specific language governing permissions and
			
 
				+limitations under the License.
			
 
				+*/
			
 
				+
			
 
				+package secretsmanager
			
 
				+
			
 
				+import (
			
 
				+	"testing"
			
 
				+
			
 
				+	. "github.com/onsi/ginkgo"
			
 
				+	. "github.com/onsi/gomega"
			
 
				+	"k8s.io/client-go/kubernetes/scheme"
			
 
				+	"k8s.io/client-go/rest"
			
 
				+	ctrl "sigs.k8s.io/controller-runtime"
			
 
				+	"sigs.k8s.io/controller-runtime/pkg/client"
			
 
				+	"sigs.k8s.io/controller-runtime/pkg/envtest"
			
 
				+	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
			
 
				+	logf "sigs.k8s.io/controller-runtime/pkg/log"
			
 
				+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
			
 
				+
			
 
				+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
			
 
				+)
			
 
				+
			
 
				+var cfg *rest.Config
			
 
				+var k8sClient client.Client
			
 
				+var testEnv *envtest.Environment
			
 
				+
			
 
				+func TestAPIs(t *testing.T) {
			
 
				+	RegisterFailHandler(Fail)
			
 
				+
			
 
				+	RunSpecsWithDefaultAndCustomReporters(t,
			
 
				+		"AWSSM Suite",
			
 
				+		[]Reporter{printer.NewlineReporter{}})
			
 
				+}
			
 
				+
			
 
				+var _ = BeforeSuite(func() {
			
 
				+	log := zap.New(zap.WriteTo(GinkgoWriter))
			
 
				+	logf.SetLogger(log)
			
 
				+
			
 
				+	By("bootstrapping test environment")
			
 
				+	testEnv = &envtest.Environment{}
			
 
				+
			
 
				+	var err error
			
 
				+	cfg, err = testEnv.Start()
			
 
				+	Expect(err).ToNot(HaveOccurred())
			
 
				+	Expect(cfg).ToNot(BeNil())
			
 
				+
			
 
				+	err = esv1alpha1.AddToScheme(scheme.Scheme)
			
 
				+	Expect(err).NotTo(HaveOccurred())
			
 
				+
			
 
				+	k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{
			
 
				+		Scheme: scheme.Scheme,
			
 
				+	})
			
 
				+	Expect(err).ToNot(HaveOccurred())
			
 
				+
			
 
				+	k8sClient = k8sManager.GetClient()
			
 
				+	Expect(k8sClient).ToNot(BeNil())
			
 
				+
			
 
				+}, 60)
			
 
				+
			
 
				+var _ = AfterSuite(func() {
			
 
				+	By("tearing down the test environment")
			
 
				+	err := testEnv.Stop()
			
 
				+	Expect(err).ToNot(HaveOccurred())
			
 
				+})