e2e/aws parameterstore v2 auth profile parity

e2e/suites/provider/cases/aws/parameterstore/provider_support_v2.go

@@ -525,19 +525,41 @@ func (p *ProviderV2) DeleteSecret(key string) {
 
 func useV2StaticAuth(prov *ProviderV2) func(*framework.TestCase) {
 	return func(tc *framework.TestCase) {
-		tc.Prepare = prov.prepareNamespacedProvider()
+		tc.Prepare = prov.prepareNamespacedProvider(awsV2AuthProfileStatic)
 	}
 }
 
-func (p *ProviderV2) prepareNamespacedProvider() func(*framework.TestCase, framework.SecretStoreProvider) {
+func useV2ExternalIDAuth(prov *ProviderV2) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		tc.Prepare = prov.prepareNamespacedProvider(awsV2AuthProfileExternalID)
+	}
+}
+
+func useV2SessionTagsAuth(prov *ProviderV2) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		tc.Prepare = prov.prepareNamespacedProvider(awsV2AuthProfileSessionTags)
+	}
+}
+
+func (p *ProviderV2) prepareNamespacedProvider(profile ...awsV2AuthProfile) func(*framework.TestCase, framework.SecretStoreProvider) {
+	authProfile := awsV2AuthProfileStatic
+	if len(profile) > 0 {
+		authProfile = profile[0]
+	}
+	return p.prepareNamespacedProviderAtAddress(authProfile, frameworkv2.ProviderAddress("aws"))
+}
+
+func (p *ProviderV2) prepareNamespacedProviderAtAddress(profile awsV2AuthProfile, address string) func(*framework.TestCase, framework.SecretStoreProvider) {
 	return func(_ *framework.TestCase, _ framework.SecretStoreProvider) {
-		configName := p.providerConfigName()
-		createParameterStoreV2Config(p.framework, p.framework.Namespace.Name, configName, p.access)
+		skipIfAWSAssumeRoleProbeDenied(p.access, profile)
+
+		configName := p.providerConfigName(profile)
+		createParameterStoreV2Config(p.framework, p.framework.Namespace.Name, configName, p.access, profile)
 		frameworkv2.CreateProviderConnection(
 			p.framework,
 			p.framework.Namespace.Name,
 			p.framework.Namespace.Name,
-			frameworkv2.ProviderAddress("aws"),
+			address,
 			awsProviderAPIVersion,
 			awsv2alpha1.ParameterStoreKind,
 			configName,
@@ -547,8 +569,12 @@ func (p *ProviderV2) prepareNamespacedProvider() func(*framework.TestCase, frame
 	}
 }
 
-func (p *ProviderV2) providerConfigName() string {
-	return fmt.Sprintf("%s-parameterstore", p.framework.Namespace.Name)
+func (p *ProviderV2) providerConfigName(profile ...awsV2AuthProfile) string {
+	authProfile := awsV2AuthProfileStatic
+	if len(profile) > 0 {
+		authProfile = profile[0]
+	}
+	return fmt.Sprintf("%s-%s", p.framework.Namespace.Name, authProfile)
 }
 
 func createParameterStoreV2ProviderConnection(f *framework.Framework, namespace, name, providerName, providerNamespace string) {

e2e/suites/provider/cases/aws/parameterstore/provider_v2.go

@@ -28,6 +28,11 @@ import (
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+const (
+	withExtID       = "with externalID"
+	withSessionTags = "with session tags"
+)
+
 var _ = Describe("[aws] v2 namespaced provider", Label("aws", "parameterstore", "v2", "namespaced-provider"), func() {
 	f := framework.New("eso-aws-ps-v2")
 	prov := NewProviderV2(f)
@@ -70,6 +75,8 @@ var _ = Describe("[aws] v2 namespaced provider", Label("aws", "parameterstore",
 		framework.Compose(withStaticAuth, f, FindByTag, useV2StaticAuth(prov)),
 		framework.Compose(withStaticAuth, f, versionedParameterV2(prov), useV2StaticAuth(prov)),
 		framework.Compose(withStaticAuth, f, common.StatusNotUpdatedAfterSuccessfulSync, useV2StaticAuth(prov)),
+		framework.Compose(withExtID, f, simpleSyncWithNamespaceTagsV2(), useV2ExternalIDAuth(prov)),
+		framework.Compose(withSessionTags, f, simpleSyncWithNamespaceTagsV2(), useV2SessionTagsAuth(prov)),
 	)
 })
 
@@ -118,3 +125,41 @@ func commonVersionedExternalSecretData(secretKey string, versions []int) []esapi
 	}
 	return data
 }
+
+func simpleSyncWithNamespaceTagsV2() func(*framework.Framework) (string, func(*framework.TestCase)) {
+	return func(f *framework.Framework) (string, func(*framework.TestCase)) {
+		return "[common] should sync tagged simple secrets from .Data[]", func(tc *framework.TestCase) {
+			secretKey1 := fmt.Sprintf("%s-%s", f.Namespace.Name, "one")
+			secretKey2 := fmt.Sprintf("%s-%s", f.Namespace.Name, "other")
+			remoteRefKey1 := f.MakeRemoteRefKey(secretKey1)
+			remoteRefKey2 := f.MakeRemoteRefKey(secretKey2)
+			secretValue := "bar"
+
+			tc.Secrets = map[string]framework.SecretEntry{
+				remoteRefKey1: {Value: secretValue, Tags: map[string]string{"namespace": "e2e-test"}},
+				remoteRefKey2: {Value: secretValue, Tags: map[string]string{"namespace": "e2e-test"}},
+			}
+			tc.ExpectedSecret = &corev1.Secret{
+				Type: corev1.SecretTypeOpaque,
+				Data: map[string][]byte{
+					secretKey1: []byte(secretValue),
+					secretKey2: []byte(secretValue),
+				},
+			}
+			tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
+				{
+					SecretKey: secretKey1,
+					RemoteRef: esapi.ExternalSecretDataRemoteRef{
+						Key: remoteRefKey1,
+					},
+				},
+				{
+					SecretKey: secretKey2,
+					RemoteRef: esapi.ExternalSecretDataRemoteRef{
+						Key: remoteRefKey2,
+					},
+				},
+			}
+		}
+	}
+}

e2e/suites/provider/cases/aws/parameterstore/provider_v2_test.go

@@ -70,3 +70,39 @@ func TestVersionedParameterV2RegistersCleanupWithoutDeletingDuringSetup(t *testi
 		t.Fatalf("expected %d delete after cleanup, got %d", want, got)
 	}
 }
+
+func TestProviderV2ConfigNameDefaultsToStaticProfile(t *testing.T) {
+	t.Parallel()
+
+	prov := &ProviderV2{
+		framework: &framework.Framework{
+			Namespace: &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-ns"},
+			},
+		},
+	}
+
+	got := prov.providerConfigName()
+	want := "test-ns-static"
+	if got != want {
+		t.Fatalf("expected default config name %q, got %q", want, got)
+	}
+}
+
+func TestProviderV2ConfigNameIncludesAuthProfile(t *testing.T) {
+	t.Parallel()
+
+	prov := &ProviderV2{
+		framework: &framework.Framework{
+			Namespace: &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-ns"},
+			},
+		},
+	}
+
+	got := prov.providerConfigName(awsV2AuthProfileSessionTags)
+	want := "test-ns-session-tags"
+	if got != want {
+		t.Fatalf("expected profile specific config name %q, got %q", want, got)
+	}
+}