refactor(toolkit-lib): use credential types from @aws-cdk/cli-plugin-contract instead of @smithy/types (#470)

The `aws-auth` ap in `toolkit-lib` requires types defining how SDKv3
credentials are shaped and how a SDKv3 credentials provider is shaped.
Previously we used these types directly from `@smithy/types`. To avoid
taking a peer dependency on that package, we now use the CDK's version
of these types from `@aws-cdk/cli-plugin-contract`. These versions are a
hard copy (and rename) of the same types.

Aligning on our version of the types from `@aws-cdk/cli-plugin-contract`
will improve consistency and later on allow us to make them available in
jsii as well. The change therefore also moves the
`@aws-cdk/cli-plugin-contract` from a dependency to a peer dependency.

Also includes somewhat related clean-up:
- `toolkit-lib` - remove unused `@aws-cdk/region-info` dependency,
widened the version constraint of `@aws-cdk/cx-api` dependency to `^2`
- `cli-integ` - use latest versions of `smithy` packages as they use a
different MV compared to SDK packages
- CLI - use `@aws-cdk/cli-plugin-contract` types in a mock, we cannot
fully remove `@smithy/types` from the CLI yet since they are part of the
legacy exports
- `cdk-assets` - Remove `@smithy/types` devDep - the auth types have
already been hard copied into this packages and the dependency was
unused



---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

Author: mrgrain

.projenrc.ts

@@ -647,7 +647,6 @@ const cdkAssets = configureProject(
       'jszip',
       '@types/mock-fs@^4',
       'mock-fs@^5',
-      '@smithy/types',
       'aws-sdk-client-mock',
       'aws-sdk-client-mock-jest',
     ],
@@ -730,14 +729,14 @@ const toolkitLib = configureProject(
         rootDir: '.', // shouldn't be required but something broke... check again once we have gotten rid of the tmpToolkitHelpers package
       },
     },
+    peerDeps: [
+      cliPluginContract.customizeReference({ versionType: 'major' }), // allow consumers to easily de-depulicate this
+    ],
     deps: [
-      cliPluginContract,
-      cloudAssemblySchema,
-      // Purposely a ^ dependency so that clients selecting old toolkit library
-      // versions still might get upgrades to this dependency.
-      cloudFormationDiff,
-      cxApi,
-      '@aws-cdk/region-info',
+      cloudAssemblySchema, // @todo need to find the minmal required version
+      cloudFormationDiff.customizeReference({ versionType: 'major' }), // allow consumers with old toolkit-lib versions to get upgrades
+      cdkAssets.customizeReference({ versionType: 'major' }), // allow consumers with old toolkit-lib versions to get upgrades
+      `${cxApi}@^2`, // allow consumers with old toolkit-lib versions to get upgrades
       `@aws-sdk/client-appsync@${CLI_SDK_V3_RANGE}`,
       `@aws-sdk/client-cloudformation@${CLI_SDK_V3_RANGE}`,
       `@aws-sdk/client-cloudwatch-logs@${CLI_SDK_V3_RANGE}`,
@@ -766,8 +765,6 @@ const toolkitLib = configureProject(
       '@smithy/util-retry',
       '@smithy/util-waiter',
       'archiver',
-      // Purposely a ^ dependency so that clients get upgrades to this library.
-      cdkAssets,
       'cdk-from-cfn',
       'chalk@^4',
       'chokidar@^3',
@@ -789,7 +786,6 @@ const toolkitLib = configureProject(
       '@jest/globals',
       '@jest/types',
       '@microsoft/api-extractor',
-      '@smithy/types',
       '@smithy/util-stream',
       '@types/fs-extra',
       '@types/split2',
@@ -1593,9 +1589,9 @@ const cliInteg = configureProject(
       `@aws-sdk/client-sso@${CLI_SDK_V3_RANGE}`,
       `@aws-sdk/client-sts@${CLI_SDK_V3_RANGE}`,
       `@aws-sdk/credential-providers@${CLI_SDK_V3_RANGE}`,
-      `@smithy/util-retry@${CLI_SDK_V3_RANGE}`,
-      `@smithy/types@${CLI_SDK_V3_RANGE}`,
       '@cdklabs/cdk-atmosphere-client',
+      '@smithy/util-retry', // smithy packages don't have the same major version as SDK packages
+      '@smithy/types', // smithy packages don't have the same major version as SDK packages
       'axios@^1',
       'chalk@^4',
       'fs-extra@^9',

packages/@aws-cdk-testing/cli-integ/.projen/deps.json

@@ -12,9 +12,9 @@ mkdir -p dist/js
 npm pkg set version=0.0.0-alpha.$commit
 npm pkg set dependencies.@aws-cdk/cloud-assembly-schema=$version
 npm pkg set dependencies.@aws-cdk/cloudformation-diff=$version
-npm pkg set dependencies.@aws-cdk/cli-plugin-contract=$version
+npm pkg set peerDependencies.@aws-cdk/cli-plugin-contract=\*
 npm pack --pack-destination dist/js
 npm pkg set version=$reset
-npm pkg set dependencies.@aws-cdk/cli-plugin-contract=^$reset
+npm pkg set peerDependencies.@aws-cdk/cli-plugin-contract=^$reset
 npm pkg set dependencies.@aws-cdk/cloudformation-diff=^$reset
 npm pkg set dependencies.@aws-cdk/cloud-assembly-schema=^$reset

packages/@aws-cdk-testing/cli-integ/.projen/tasks.json

@@ -1,9 +1,9 @@
 import { format } from 'node:util';
+import type { SDKv3CompatibleCredentialProvider } from '@aws-cdk/cli-plugin-contract';
 import { createCredentialChain, fromEnv, fromIni, fromNodeProviderChain } from '@aws-sdk/credential-providers';
 import { MetadataService } from '@aws-sdk/ec2-metadata-service';
 import type { NodeHttpHandlerOptions } from '@smithy/node-http-handler';
 import { loadSharedConfigFiles } from '@smithy/shared-ini-file-loader';
-import type { AwsCredentialIdentityProvider } from '@smithy/types';
 import * as promptly from 'promptly';
 import { makeCachingProvider } from './provider-caching';
 import { ProxyAgentProvider } from './proxy-agent';
@@ -34,7 +34,7 @@ export class AwsCliCompatible {
     this.logger = logger;
   }
 
-  public async baseConfig(profile?: string): Promise<{ credentialProvider: AwsCredentialIdentityProvider; defaultRegion: string }> {
+  public async baseConfig(profile?: string): Promise<{ credentialProvider: SDKv3CompatibleCredentialProvider; defaultRegion: string }> {
     const credentialProvider = await this.credentialChainBuilder({
       profile,
       logger: this.logger,
@@ -50,7 +50,7 @@ export class AwsCliCompatible {
    */
   public async credentialChainBuilder(
     options: CredentialChainOptions = {},
-  ): Promise<AwsCredentialIdentityProvider> {
+  ): Promise<SDKv3CompatibleCredentialProvider> {
     const clientConfig = {
       requestHandler: this.requestHandler,
       customUserAgent: 'aws-cdk',

packages/@aws-cdk-testing/cli-integ/package.json

@@ -1,6 +1,5 @@
 import { inspect } from 'util';
 import type { CredentialProviderSource, ForReading, ForWriting, PluginProviderResult, SDKv2CompatibleCredentials, SDKv3CompatibleCredentialProvider, SDKv3CompatibleCredentials } from '@aws-cdk/cli-plugin-contract';
-import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from '@smithy/types';
 import { credentialsAboutToExpire, makeCachingProvider } from './provider-caching';
 import { AuthenticationError } from '../../toolkit/toolkit-error';
 import { formatErrorMessage } from '../../util';
@@ -87,7 +86,7 @@ export interface PluginCredentialsFetchResult {
   /**
    * SDK-v3 compatible credential provider
    */
-  readonly credentials: AwsCredentialIdentityProvider;
+  readonly credentials: SDKv3CompatibleCredentialProvider;
 
   /**
    * Name of plugin that successfully provided credentials
@@ -110,7 +109,7 @@ export interface PluginCredentialsFetchResult {
  * - If the result is a static credential that expires, we will wrap it in an SDKv3 provider
  *   that will query the plugin again when the credential expires.
  */
-async function v3ProviderFromPlugin(producer: () => Promise<PluginProviderResult>): Promise<AwsCredentialIdentityProvider> {
+async function v3ProviderFromPlugin(producer: () => Promise<PluginProviderResult>): Promise<SDKv3CompatibleCredentialProvider> {
   const initial = await producer();
 
   if (isV3Provider(initial)) {
@@ -133,7 +132,7 @@ async function v3ProviderFromPlugin(producer: () => Promise<PluginProviderResult
 /**
  * Converts a V2 credential into a V3-compatible provider
  */
-function v3ProviderFromV2Credentials(x: SDKv2CompatibleCredentials): AwsCredentialIdentityProvider {
+function v3ProviderFromV2Credentials(x: SDKv2CompatibleCredentials): SDKv3CompatibleCredentialProvider {
   return async () => {
     // Get will fetch or refresh as necessary
     await x.getPromise();
@@ -147,7 +146,10 @@ function v3ProviderFromV2Credentials(x: SDKv2CompatibleCredentials): AwsCredenti
   };
 }
 
-function refreshFromPluginProvider(current: AwsCredentialIdentity, producer: () => Promise<PluginProviderResult>): AwsCredentialIdentityProvider {
+function refreshFromPluginProvider(
+  current: SDKv3CompatibleCredentials,
+  producer: () => Promise<PluginProviderResult>,
+): SDKv3CompatibleCredentialProvider {
   return async () => {
     if (credentialsAboutToExpire(current)) {
       const newCreds = await producer();

packages/@aws-cdk/toolkit-lib/.projen/deps.json

@@ -1,5 +1,5 @@
+import type { SDKv3CompatibleCredentialProvider, SDKv3CompatibleCredentials } from '@aws-cdk/cli-plugin-contract';
 import { memoize } from '@smithy/property-provider';
-import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from '@smithy/types';
 
 /**
  * Wrap a credential provider in a cache
@@ -11,15 +11,15 @@ import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from '@smit
  * MFA prompts or what have you, we are going to liberally wrap providers
  * in caches which will return the cached value until it expires.
  */
-export function makeCachingProvider(provider: AwsCredentialIdentityProvider): AwsCredentialIdentityProvider {
+export function makeCachingProvider(provider: SDKv3CompatibleCredentialProvider): SDKv3CompatibleCredentialProvider {
   return memoize(
     provider,
     credentialsAboutToExpire,
     (token) => !!token.expiration,
   );
 }
 
-export function credentialsAboutToExpire(token: AwsCredentialIdentity) {
+export function credentialsAboutToExpire(token: SDKv3CompatibleCredentials) {
   const expiryMarginSecs = 5;
   // token.expiration is sometimes null
   return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;

packages/@aws-cdk/toolkit-lib/.projen/tasks.json

@@ -1,11 +1,11 @@
 import * as os from 'os';
+import type { SDKv3CompatibleCredentialProvider } from '@aws-cdk/cli-plugin-contract';
 import type { ContextLookupRoleOptions } from '@aws-cdk/cloud-assembly-schema';
 import type { Environment } from '@aws-cdk/cx-api';
 import { EnvironmentUtils, UNKNOWN_ACCOUNT, UNKNOWN_REGION } from '@aws-cdk/cx-api';
 import type { AssumeRoleCommandInput } from '@aws-sdk/client-sts';
 import { fromTemporaryCredentials } from '@aws-sdk/credential-providers';
 import type { NodeHttpHandlerOptions } from '@smithy/node-http-handler';
-import type { AwsCredentialIdentityProvider } from '@smithy/types';
 import { AwsCliCompatible } from './awscli-compatible';
 import { cached } from './cached';
 import { CredentialPlugins } from './credential-plugins';
@@ -99,14 +99,14 @@ export class SdkProvider {
   }
 
   public readonly defaultRegion: string;
-  private readonly defaultCredentialProvider: AwsCredentialIdentityProvider;
+  private readonly defaultCredentialProvider: SDKv3CompatibleCredentialProvider;
   private readonly plugins;
   private readonly requestHandler: NodeHttpHandlerOptions;
   private readonly ioHelper: IoHelper;
   private readonly logger?: ISdkLogger;
 
   public constructor(
-    defaultCredentialProvider: AwsCredentialIdentityProvider,
+    defaultCredentialProvider: SDKv3CompatibleCredentialProvider,
     defaultRegion: string | undefined,
     services: SdkProviderServices,
   ) {
@@ -384,7 +384,7 @@ export class SdkProvider {
    * @internal
    */
   public _makeSdk(
-    credProvider: AwsCredentialIdentityProvider,
+    credProvider: SDKv3CompatibleCredentialProvider,
     region: string,
   ) {
     return new SDK(credProvider, region, this.requestHandler, this.ioHelper, this.logger);
@@ -446,11 +446,11 @@ export interface CredentialsOptions {
  * Result of obtaining base credentials
  */
 type ObtainBaseCredentialsResult =
-  | { source: 'correctDefault'; credentials: AwsCredentialIdentityProvider }
-  | { source: 'plugin'; pluginName: string; credentials: AwsCredentialIdentityProvider }
+  | { source: 'correctDefault'; credentials: SDKv3CompatibleCredentialProvider }
+  | { source: 'plugin'; pluginName: string; credentials: SDKv3CompatibleCredentialProvider }
   | {
     source: 'incorrectDefault';
-    credentials: AwsCredentialIdentityProvider;
+    credentials: SDKv3CompatibleCredentialProvider;
     accountId: string;
     unusedPlugins: string[];
   }

packages/@aws-cdk/toolkit-lib/build-tools/package.sh

@@ -1,3 +1,4 @@
+import type { SDKv3CompatibleCredentialProvider } from '@aws-cdk/cli-plugin-contract';
 import type {
   FunctionConfiguration,
   GetSchemaCreationStatusCommandInput,
@@ -340,7 +341,6 @@ import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';
 import { Upload } from '@aws-sdk/lib-storage';
 import { getEndpointFromInstructions } from '@smithy/middleware-endpoint';
 import type { NodeHttpHandlerOptions } from '@smithy/node-http-handler';
-import type { AwsCredentialIdentityProvider } from '@smithy/types';
 import { ConfiguredRetryStrategy } from '@smithy/util-retry';
 import type { WaiterResult } from '@smithy/util-waiter';
 import { AccountAccessKeyCache } from './account-cache';
@@ -382,7 +382,7 @@ export interface SdkOptions {
 
 export interface ConfigurationOptions {
   region: string;
-  credentials: AwsCredentialIdentityProvider;
+  credentials: SDKv3CompatibleCredentialProvider;
   requestHandler: NodeHttpHandlerOptions;
   retryStrategy: ConfiguredRetryStrategy;
   customUserAgent: string;
@@ -587,7 +587,7 @@ export class SDK {
   private readonly debug: (msg: string) => Promise<void>;
 
   constructor(
-    private readonly credProvider: AwsCredentialIdentityProvider,
+    private readonly credProvider: SDKv3CompatibleCredentialProvider,
     region: string,
     requestHandler: NodeHttpHandlerOptions,
     ioHelper: IoHelper,

packages/@aws-cdk/toolkit-lib/lib/api/aws-auth/awscli-compatible.ts

@@ -1,4 +1,4 @@
-import type { AwsCredentialIdentityProvider } from '@smithy/types';
+import type { SDKv3CompatibleCredentialProvider } from '@aws-cdk/cli-plugin-contract';
 import type { SdkProviderServices } from '../shared-private';
 import { AwsCliCompatible } from '../shared-private';
 
@@ -146,7 +146,7 @@ export interface CustomBaseCredentialsOption {
    * sure to also configure the necessary HTTP options (like proxy and user
    * agent) on the STS client directly; the toolkit code cannot do this for you.
    */
-  readonly provider: AwsCredentialIdentityProvider;
+  readonly provider: SDKv3CompatibleCredentialProvider;
 
   /**
    * The default region to synthesize for
@@ -161,7 +161,7 @@ export interface CustomBaseCredentialsOption {
 }
 
 export interface SdkBaseConfig {
-  readonly credentialProvider: AwsCredentialIdentityProvider;
+  readonly credentialProvider: SDKv3CompatibleCredentialProvider;
 
   readonly defaultRegion?: string;
 }