PYTHON-3906 Use AWS Secrets for Atlas tests (#1342)

Author: NoahStapp

.evergreen/config.yml

@@ -543,40 +543,22 @@ functions:
             bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m test-eg
 
   "run atlas tests":
-    - command: shell.exec
-      type: test
+    - command: ec2.assume_role
       params:
-        silent: true
-        working_dir: "src"
-        script: |
-          cat <<EOT > prepare_atlas_connectivity.sh
-          export ATLAS_FREE='${atlas_free}'
-          export ATLAS_REPL='${atlas_repl}'
-          export ATLAS_SHRD='${atlas_shrd}'
-          export ATLAS_TLS11='${atlas_tls11}'
-          export ATLAS_TLS12='${atlas_tls12}'
-          export ATLAS_SERVERLESS='${atlas_serverless}'
-          export ATLAS_SRV_FREE='${atlas_srv_free}'
-          export ATLAS_SRV_REPL='${atlas_srv_repl}'
-          export ATLAS_SRV_SHRD='${atlas_srv_shrd}'
-          export ATLAS_SRV_TLS11='${atlas_srv_tls11}'
-          export ATLAS_SRV_TLS12='${atlas_srv_tls12}'
-          export ATLAS_SRV_SERVERLESS='${atlas_srv_serverless}'
-          EOT
+        role_arn: ${aws_test_secrets_role}
     - command: shell.exec
       type: test
       params:
+        add_expansions_to_env: true
         working_dir: "src"
         script: |
           # Disable xtrace for security reasons (just in case it was accidentally set).
           set +x
-
-          . ./prepare_atlas_connectivity.sh
-          rm -f ./prepare_atlas_connectivity.sh
-
           set -o errexit
           set -o xtrace
-          ${PYTHON_BINARY} -m tox -m test-atlas
+
+          bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/atlas_connect
+          TEST_ATLAS=1 bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m test-eg
 
   "add aws auth variables to file":
     - command: shell.exec

.evergreen/run-tests.sh

@@ -26,6 +26,7 @@ set -o errexit  # Exit the script with error if any of the commands fail
 #  TEST_PERF            If non-empty, run performance tests
 #  TEST_OCSP            If non-empty, run OCSP tests
 #  TEST_ENCRYPTION_PYOPENSSL    If non-empy, test encryption with PyOpenSSL
+#  TEST_ATLAS   If non-empty, test Atlas connections
 
 if [ -n "${SET_XTRACE_ON}" ]; then
     set -o xtrace
@@ -205,6 +206,10 @@ if [ -n "$TEST_DATA_LAKE" ] && [ -z "$TEST_ARGS" ]; then
     TEST_ARGS="test/test_data_lake.py"
 fi
 
+if [ -n "$TEST_ATLAS" ]; then
+    TEST_ARGS="test/atlas/test_connection.py"
+fi
+
 if [ -n "$TEST_OCSP" ]; then
     python -m pip install ".[ocsp]"
     TEST_ARGS="test/ocsp/test_ocsp.py"
@@ -229,6 +234,11 @@ fi
 echo "Running $AUTH tests over $SSL with python $PYTHON"
 python -c 'import sys; print(sys.version)'
 
+# Try to source exported AWS Secrets
+if [ -f ./secrets-export.sh ]; then
+  source ./secrets-export.sh
+fi
+
 # Run the tests, and store the results in Evergreen compatible XUnit XML
 # files in the xunit-results/ directory.
 

.gitignore

@@ -17,6 +17,8 @@ mongocryptd.pid
 .idea/
 .nova/
 venv/
+secrets-expansion.yml
+secrets-export.sh
 
 # Lambda temp files
 test/lambda/.aws-sam

tox.ini

@@ -38,8 +38,8 @@ labels = # Use labels and -m instead of -e so that tox -m <label> fails instantl
     doc = doc
     doc-test = doc-test
     linkcheck = linkcheck
-    test-atlas = test-atlas
     test-mockupdb = test-mockupdb
+    aws-secrets = aws-secrets
 
 [testenv:test]
 description = run base set of unit tests with no extra functionality
@@ -143,14 +143,6 @@ deps =
 commands =
     sphinx-build -E -b linkcheck doc ./doc/_build/linkcheck
 
-[testenv:test-atlas]
-description = run atlas connection tests
-deps =
-     {[testenv:test]deps}
-passenv = *
-commands =
-    python -m pytest -v {posargs} ./test/atlas/test_connection.py
-
 [testenv:test-mockupdb]
 description = run mockupdb tests
 deps =
@@ -159,3 +151,11 @@ deps =
 passenv = *
 commands =
     python -m pytest -v {posargs} ./test/mockupdb
+
+[testenv:aws-secrets]
+deps =
+    PyYAML
+    boto3
+passenv = *
+commands =
+    python {env:DRIVERS_TOOLS}/.evergreen/auth_aws/setup_secrets.py {posargs}