Migrate from AWS SDK Go v1 to v2 by RadekManak · Pull Request #180 · openshift/machine-api-provider-aws

RadekManak · 2026-03-11T15:22:45Z

Replace github.com/aws/aws-sdk-go (v1) with github.com/aws/aws-sdk-go-v2 across all production and test code. Key changes include:

Client interface: add context.Context to all methods, use concrete v2 service clients instead of v1 interfaces
Session management: replace aws/session with aws-sdk-go-v2/config
Types: use value types from service/*/types packages instead of pointer types (e.g., ec2types.Instance, []ec2types.Tag)
Pointer helpers: aws.StringValue -> aws.ToString, aws.Int64 -> aws.Int32
Error handling: awserr.Error -> smithy.APIError
IMDS: ec2metadata -> feature/ec2/imds with IMDSv2 support
Credentials: static credentials use v2 provider
Custom endpoints: per-service BaseEndpoint instead of global resolver
Remove v1 SDK from go.mod and vendor

Summary by CodeRabbit

Release Notes

Infrastructure Upgrade
- Upgraded AWS SDK dependency from v1 to v2, improving performance and enabling better request handling with context support across all AWS API interactions.
Bug Fixes & Improvements
- Enhanced error handling for AWS API calls with improved type safety.
- Refined request routing and regional validation logic for better reliability.

Replace github.com/aws/aws-sdk-go (v1) with github.com/aws/aws-sdk-go-v2 across all production and test code. Key changes include: - Client interface: add context.Context to all methods, use concrete v2 service clients instead of v1 interfaces - Session management: replace aws/session with aws-sdk-go-v2/config - Types: use value types from service/*/types packages instead of pointer types (e.g., ec2types.Instance, []ec2types.Tag) - Pointer helpers: aws.StringValue -> aws.ToString, aws.Int64 -> aws.Int32 - Error handling: awserr.Error -> smithy.APIError - IMDS: ec2metadata -> feature/ec2/imds with IMDSv2 support - Credentials: static credentials use v2 provider - Custom endpoints: per-service BaseEndpoint instead of global resolver - Remove v1 SDK from go.mod and vendor

RadekManak · 2026-03-11T15:23:12Z

/hold

coderabbitai · 2026-03-11T15:23:35Z

Walkthrough

Comprehensive migration of AWS SDK for Go from v1 to v2 across the codebase. Updates go.mod dependencies, refactors all AWS client method signatures to accept context parameters, replaces v1 types with v2 equivalents, and adjusts error handling to use smithy-based error types throughout machine actuators, machineset logic, and termination handlers.

Changes

Cohort / File(s)	Summary
Dependency Management `go.mod`	Replaces monolithic AWS SDK v1 (`github.com/aws/aws-sdk-go`) with modular v2 stack (`github.com/aws/aws-sdk-go-v2` and submodules: config, credentials, ec2, elasticloadbalancing, elasticloadbalancingv2, smithy-go, plus internal packages). Removes indirect v1 jmespath dependency.
AWS Client Interface `pkg/client/client.go`, `pkg/client/client_test.go`, `pkg/client/fake/fake.go`, `pkg/client/mock/client_generated.go`	Migrates client wrapper and mocks from v1 to v2. Updates all method signatures to require `context.Context` as first parameter. Replaces session-based initialization with `LoadDefaultConfig` and `NewFromConfig`. Introduces smithy-based error handling. Refactors region validation via API calls. Adds context-aware AWS service calls (DescribeImages, DescribeInstances, RunInstances, etc.) and custom endpoint support. New helper functions for HTTP client and middleware configuration.
Machine Actuator Core `pkg/actuators/machine/actuator_test.go`, `pkg/actuators/machine/controller_test.go`, `pkg/actuators/machine/machine_scope.go`, `pkg/actuators/machine/machine_scope_test.go`, `pkg/actuators/machine/reconciler.go`, `pkg/actuators/machine/reconciler_test.go`	Updates test expectations and implementations to use v2 types (`ec2types.*`) and context-aware client methods. Replaces pointer-based instance handling with value semantics where applicable. Updates state/condition handling, tag operations, and VPC/DHCP option retrieval to v2 APIs. Adjusts nil checks and field access patterns for v2 structures.
Instance Management `pkg/actuators/machine/instances.go`, `pkg/actuators/machine/instances_test.go`, `pkg/actuators/machine/filter.go`, `pkg/actuators/machine/utils.go`, `pkg/actuators/machine/utils_test.go`, `pkg/actuators/machine/stubs.go`	Migrates instance creation, retrieval, filtering, and tagging logic to v2. Changes return types from pointers (`[]*ec2.Instance`) to slices of value types (`[]ec2types.Instance`). Updates block device mappings, network interface specifications, placement, metadata options, and capacity reservation structures. Replaces AWS string helpers (`aws.String`, `aws.StringValue`) with v2 equivalents (`aws.ToString`). Introduces context for all AWS SDK calls and adjusts error handling for v2 types.
Load Balancer Integration `pkg/actuators/machine/loadbalancers.go`, `pkg/actuators/machine/loadbalancers_test.go`	Replaces ELB/ELBv2 v1 types with v2 equivalents. Updates registration and deregistration logic to use `ec2types.Instance` and v2 target types. Switches error handling from `awserr` to smithy-based error types. Adds context parameters to all load balancer client calls. Introduces test helper for smithy error simulation.
Dedicated Hosts `pkg/actuators/machine/dedicatedhosts.go`, `pkg/actuators/machine/dedicatedhosts_test.go`	Migrates dedicated host allocation/release to v2. Changes tag parameter type from `[]ec2.Tag` to `[]ec2types.Tag`. Updates `AllocateHosts` and `ReleaseHosts` calls with context and new input structures. Replaces error message extraction to use `aws.ToString` instead of `aws.StringValue`. Adjusts HostIds handling from `[]string` to `[]string`.
MachineSets `pkg/actuators/machineset/controller_test.go`, `pkg/actuators/machineset/ec2_instance_types.go`	Updates architecture type constants and test cases to use v2 types with string conversions. Migrates instance type fetching logic to add context and replace pointer-based type handling with v2 value types. Adjusts GPU and CPU info field access for v2 structures.
Termination Handling `pkg/termination/handler.go`, `pkg/termination/handler_test.go`	Replaces EC2 metadata client from v1 (`ec2metadata.EC2Metadata`) with v2 IMDS client. Updates error handling to use smithy HTTP error types for 404 responses. Introduces AWS config loading with retry policy customization and optional IMDS endpoint support. Enhances test mock to handle IMDSv2 token requests.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 32.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	The check references Ginkgo test patterns (It blocks, BeforeEach/AfterEach, Describe), but the codebase uses standard Go testing with table-driven tests and gomock, not Ginkgo.	Clarify whether to evaluate standard Go test quality (table-driven patterns, mock setup, assertion messages) instead of Ginkgo-specific test structure.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Migrate from AWS SDK Go v1 to v2' accurately and clearly describes the main objective of the changeset—a comprehensive migration from AWS SDK v1 to v2.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are static and deterministic with no dynamic information like timestamps, UUIDs, or generated identifiers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-03-11T15:25:47Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign radekmanak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/client/client.go (1)

518-552: ⚠️ Potential issue | 🟠 Major

Merge the custom CA bundle with the system trust store and preserve DefaultTransport behavior.

The current approach creates an empty cert pool containing only the custom CA bundle, losing access to system root CAs. This breaks connectivity to public AWS APIs in typical corporate environments where custom bundles contain only internal CAs. Additionally, creating a bare http.Transport discards connection pooling and other defaults. Use x509.SystemCertPool() to preserve system trust, append the custom CA, and clone http.DefaultTransport to maintain proper transport behavior:

Suggested fix

-	certPool := x509.NewCertPool()
-	if !certPool.AppendCertsFromPEM([]byte(caBundle)) {
+	certPool, err := x509.SystemCertPool()
+	if err != nil || certPool == nil {
+		certPool = x509.NewCertPool()
+	}
+	if !certPool.AppendCertsFromPEM([]byte(caBundle)) {
 		return nil, fmt.Errorf("failed to parse custom CA bundle")
 	}
 
-	return &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				RootCAs:    certPool,
-				MinVersion: tls.VersionTLS12,
-			},
-		},
-	}, nil
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	if transport.TLSClientConfig == nil {
+		transport.TLSClientConfig = &tls.Config{}
+	}
+	transport.TLSClientConfig.RootCAs = certPool
+	transport.TLSClientConfig.MinVersion = tls.VersionTLS12
+
+	return &http.Client{Transport: transport}, nil

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/client/client.go` around lines 518 - 552, In buildHTTPClient, don't
create an empty cert pool or a bare http.Transport; instead call
x509.SystemCertPool() to obtain the system roots (handle nil/err), append the
custom CA PEM to that pool (the certPool used for TLSClientConfig), and use a
clone of http.DefaultTransport (type assert to *http.Transport and Clone()) to
preserve connection pooling and defaults before setting TLSClientConfig.RootCAs
to the merged certPool and MinVersion to tls.VersionTLS12; update the returned
*http.Client to use that cloned transport.

🧹 Nitpick comments (5)

pkg/actuators/machineset/ec2_instance_types.go (1)
142-142: Consider propagating context through the call chain.

Using context.TODO() here prevents proper timeout handling, cancellation, and distributed tracing. The recommended approach is to accept context.Context as a parameter in fetchEC2InstanceTypes, refresh, and GetInstanceType, then propagate from the caller.

This is acceptable for an initial SDK migration but should be addressed in a follow-up to enable proper request lifecycle management.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/actuators/machineset/ec2_instance_types.go` at line 142, The call to
awsClient.DescribeInstanceTypes uses context.TODO(), preventing
cancellation/timeouts and tracing; change fetchEC2InstanceTypes, refresh, and
GetInstanceType to accept a context.Context parameter and pass that ctx through
to awsClient.DescribeInstanceTypes (and any other AWS SDK calls) instead of
using context.TODO(); update all call sites to propagate the caller's ctx so
cancellation and deadlines flow through the call chain (functions to edit:
fetchEC2InstanceTypes, refresh, GetInstanceType).
pkg/actuators/machine/machine_scope_test.go (2)
383-385: Consider keeping a nil vpcID test case for behavioral coverage.

This call now only exercises the non-nil path. If getCustomDomainFromDHCP is intended to tolerate nil input, add a dedicated nil-input case to prevent regressions.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/actuators/machine/machine_scope_test.go` around lines 383 - 385, Add a
dedicated test case that passes a nil *string VPC ID to
mS.getCustomDomainFromDHCP to exercise the nil-input path: create vpcID :=
(*string)(nil), call got, err := mS.getCustomDomainFromDHCP(vpcID) and assert
the function does not panic, returns the expected zero-value domain (e.g., "" or
whatever the package contract defines) and an appropriate error state
(preferably nil if it should tolerate nil); name the case clearly (e.g., "nil
vpcID") so future changes won’t remove this behavioral coverage.
371-381: Tighten gomock request matching to avoid false positives.

Using gomock.Any() for both args means the test won't catch if the production code's EC2 input payloads become malformed (for example, missing/incorrect DHCP options IDs). Consider asserting the request content in at least one expectation using a pattern like DoAndReturn to validate required fields are present.
Example hardening pattern
- mockAWSClient.EXPECT().DescribeDHCPOptions(gomock.Any(), gomock.Any()).Return(tc.describeDhcpOptionsOutput, nil).AnyTimes()
+ mockAWSClient.EXPECT().
+   DescribeDHCPOptions(gomock.Any(), gomock.AssignableToTypeOf(&ec2.DescribeDhcpOptionsInput{})).
+   DoAndReturn(func(_ context.Context, in *ec2.DescribeDhcpOptionsInput) (*ec2.DescribeDhcpOptionsOutput, error) {
+     if len(in.DhcpOptionsIds) == 0 {
+       t.Fatalf("expected at least one DHCP options ID")
+     }
+     return tc.describeDhcpOptionsOutput, nil
+   }).
+   AnyTimes()
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/actuators/machine/machine_scope_test.go` around lines 371 - 381, Tighten
the gomock expectations so the test validates request payloads instead of using
gomock.Any() for both args: update the mockAWSClient.Expect().DescribeVpcs(...)
and/or mockAWSClient.EXPECT().DescribeDHCPOptions(...) to use DoAndReturn (or a
custom gomock.Matcher) that inspects the input context/EC2 request and asserts
the presence/format of the DHCP options ID (e.g., that the DescribeVpcs input
contains the expected DhcpOptionsId or that DescribeDHCPOptions call receives
the correct DHCPOptionsIds slice) before returning tc.describeDhcpOptionsOutput,
leaving machineScope and mockAWSClient references intact.
pkg/actuators/machine/machine_scope.go (1)
204-227: Consider using the embedded context instead of context.TODO().

The machineScope struct embeds context.Context (see line 43), but context.TODO() is used for the AWS API calls on lines 209 and 221. Consider using s.Context for consistency and proper context propagation.
♻️ Suggested improvement
-	vpc, err := s.awsClient.DescribeVpcs(context.TODO(), &ec2.DescribeVpcsInput{
+	vpc, err := s.awsClient.DescribeVpcs(s.Context, &ec2.DescribeVpcsInput{
 		VpcIds: []string{*vpcID},
 	})
-	dhcp, err := s.awsClient.DescribeDHCPOptions(context.TODO(), &ec2.DescribeDhcpOptionsInput{
+	dhcp, err := s.awsClient.DescribeDHCPOptions(s.Context, &ec2.DescribeDhcpOptionsInput{
 		DhcpOptionsIds: []string{aws.ToString(vpc.Vpcs[0].DhcpOptionsId)},
 	})
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/actuators/machine/machine_scope.go` around lines 204 - 227, In
getCustomDomainFromDHCP, replace the calls using context.TODO() with the
embedded context on the scope (s.Context) so the AWS API calls inherit the
request/operation context; update both DescribeVpcs and DescribeDHCPOptions
invocations to use s.Context instead of context.TODO() to ensure proper context
propagation from the machineScope.
pkg/termination/handler.go (1)
119-131: LGTM! Error handling correctly uses smithy types for v2.

The 404 detection via smithyhttp.ResponseError is the correct pattern for AWS SDK v2.

One minor note: Line 128 fmt.Errorf("%w", err) is redundant since it only wraps the error without adding context. You could simplify to return false, err.
♻️ Optional simplification
 		if err != nil {
 			var re *smithyhttp.ResponseError
 			if errors.As(err, &re) && re.HTTPStatusCode() == http.StatusNotFound {
 				logger.V(2).Info("Instance not marked for termination")
 				return false, nil
 			}
-			return false, fmt.Errorf("%w", err)
+			return false, err
 		}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/termination/handler.go` around lines 119 - 131, The error return
currently wraps the AWS SDK error redundantly using fmt.Errorf("%w", err); in
the GetMetadata error branch inside the imdsClient.GetMetadata call replace that
wrapping with a direct return of the original error (i.e., return false, err) so
the function preserves the original error value instead of rewrapping it; keep
the existing smithyhttp.ResponseError 404 detection and the logger.V(2).Info
branch intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/actuators/machine/dedicatedhosts.go`:
- Around line 44-45: The AllocateHosts/ReleaseHosts calls use context.TODO()
which prevents cancellation propagation; update the surrounding helper functions
in dedicatedhosts.go to accept a context.Context parameter (e.g., add ctx to the
function signature that calls client.AllocateHosts and client.ReleaseHosts) and
replace context.TODO() with the passed ctx when invoking
client.AllocateHosts(ctx, allocateInput) and client.ReleaseHosts(ctx,
releaseInput). Ensure all call sites of those helpers are updated to forward the
upstream ctx so parent cancellations/timeouts propagate correctly.

In `@pkg/actuators/machine/instances_test.go`:
- Line 1191: The test currently stubs DescribeAvailabilityZones to always return
nil error; update the mock expectation in the table-driven test so
DescribeAvailabilityZones returns tc.zonesOutput, tc.azErr (i.e., wire tc.azErr
into mockAWSClient.EXPECT().DescribeAvailabilityZones(...).Return(...)) so the
`"Subnet with availability zone with error"` case can exercise the AWS error
path; locate the call to
mockAWSClient.EXPECT().DescribeAvailabilityZones(gomock.Any(),
gomock.Any()).Return(tc.zonesOutput, nil).AnyTimes() and change the returned
error to tc.azErr.

In `@pkg/actuators/machine/instances.go`:
- Around line 78-90: The helper functions (getSecurityGroupsIDs, getSubnetIDs,
getAMI, getBlockDeviceMappings, getAvalabilityZoneFromSubnetID,
getAvalabilityZoneTypeFromZoneName) and their caller launchInstance are using
context.TODO() for AWS SDK calls; change their signatures to accept a
context.Context parameter and thread the reconciler's context (from machineScope
or the caller) through to each helper and ultimately into
client.DescribeSecurityGroups / DescribeSubnets / DescribeImages /
DescribeAvailabilityZones / DescribeInstances calls so the v2 AWS client
receives the real cancelled/deadline-aware context instead of context.TODO();
update all call sites (including launchInstance callers) to pass the incoming
ctx along.

In `@pkg/actuators/machine/loadbalancers.go`:
- Around line 53-65: The switch on targetGroup.TargetType only sets target.Id
for Instance and Ip and can leave target.Id nil, so add a default case in the
switch (checking targetGroup.TargetType) that logs/returns/skips for unsupported
target types instead of leaving target uninitialized; then before any
dereference of target.Id (or before using it in registration/logging) add a nil
guard like if target.Id == nil { klog.Errorf("unsupported or missing target id
for target group %v", aws.ToString(targetGroup.TargetGroupArn));
continue/return/error } and use aws.ToString(target.Id) (or otherwise safely
handle the nil) when logging/using the ID; update the switch block that handles
elbv2types.TargetTypeEnumInstance and elbv2types.TargetTypeEnumIp and the
subsequent registration/logging code to include these guards.
- Line 31: The functions that call AWS ELB/ELBv2 APIs (e.g.,
RegisterInstancesWithLoadBalancer invocation and
registerWithNetworkLoadBalancers, plus the deregister counterparts) should
accept a caller context parameter (ctx) and pass that ctx into all SDK calls
instead of using context.TODO(); update the signatures where needed and replace
context.TODO() with ctx for calls like client.RegisterInstancesWithLoadBalancer
and client.RegisterTargets/RegisterTargetGroup/etc. In
registerWithNetworkLoadBalancers and similar helpers, avoid dereferencing
target.Id unconditionally: only read target.Id for target.Type == "instance" or
"ip" (and set the InstanceId/TargetId appropriately), and for "lambda" or "alb"
target types either leave the field nil or handle them according to AWS contract
(do not call aws.StringValue on a nil pointer); add a nil-check (e.g., if
target.Id != nil) or a switch on target.Type to safely build the target
description to prevent the panic. Ensure the same ctx propagation and
target-type-safe handling is applied to the other referenced call sites (lines
noted) for both register and deregister flows.

In `@pkg/actuators/machine/utils.go`:
- Line 117: The EC2 calls use context.TODO() which discards
cancellation/deadline propagation; update the helper functions that call
client.DescribeInstances (and similar EC2 client calls at the noted locations)
to accept a context.Context parameter (or accept the machine scope so you can
read machineScope.Context) and replace context.TODO() with that context (use
machineScope.Context where these helpers are invoked). Locate all occurrences of
client.DescribeInstances(...) and other EC2 calls in this file and thread the
caller context through the function signatures and call sites so cancellation
and deadlines from machineScope.Context are honored.

In `@pkg/client/client.go`:
- Around line 262-263: GetCachedDescribeRegions is building an EC2 client from
only aws.Config, so it ignores the service-specific ec2OptFns (resolved in
newAWSConfig) and thus validates regions against the default endpoint; update
the cache API and callers to accept and forward the EC2 service option funcs
(ec2OptFns) or apply those funcs when constructing the validation EC2 client
inside GetCachedDescribeRegions so the DescribeRegions call uses the configured
BaseEndpoint; search for newAWSConfig, ec2OptFns, and GetCachedDescribeRegions
(and the other affected cached methods referenced around lines 275-297, 333-345,
397-401) and ensure each callsite passes the ec2 option functions through to the
cache and that the cache uses them when creating the ec2.NewFromConfig client.

---

Outside diff comments:
In `@pkg/client/client.go`:
- Around line 518-552: In buildHTTPClient, don't create an empty cert pool or a
bare http.Transport; instead call x509.SystemCertPool() to obtain the system
roots (handle nil/err), append the custom CA PEM to that pool (the certPool used
for TLSClientConfig), and use a clone of http.DefaultTransport (type assert to
*http.Transport and Clone()) to preserve connection pooling and defaults before
setting TLSClientConfig.RootCAs to the merged certPool and MinVersion to
tls.VersionTLS12; update the returned *http.Client to use that cloned transport.

---

Nitpick comments:
In `@pkg/actuators/machine/machine_scope_test.go`:
- Around line 383-385: Add a dedicated test case that passes a nil *string VPC
ID to mS.getCustomDomainFromDHCP to exercise the nil-input path: create vpcID :=
(*string)(nil), call got, err := mS.getCustomDomainFromDHCP(vpcID) and assert
the function does not panic, returns the expected zero-value domain (e.g., "" or
whatever the package contract defines) and an appropriate error state
(preferably nil if it should tolerate nil); name the case clearly (e.g., "nil
vpcID") so future changes won’t remove this behavioral coverage.
- Around line 371-381: Tighten the gomock expectations so the test validates
request payloads instead of using gomock.Any() for both args: update the
mockAWSClient.Expect().DescribeVpcs(...) and/or
mockAWSClient.EXPECT().DescribeDHCPOptions(...) to use DoAndReturn (or a custom
gomock.Matcher) that inspects the input context/EC2 request and asserts the
presence/format of the DHCP options ID (e.g., that the DescribeVpcs input
contains the expected DhcpOptionsId or that DescribeDHCPOptions call receives
the correct DHCPOptionsIds slice) before returning tc.describeDhcpOptionsOutput,
leaving machineScope and mockAWSClient references intact.

In `@pkg/actuators/machine/machine_scope.go`:
- Around line 204-227: In getCustomDomainFromDHCP, replace the calls using
context.TODO() with the embedded context on the scope (s.Context) so the AWS API
calls inherit the request/operation context; update both DescribeVpcs and
DescribeDHCPOptions invocations to use s.Context instead of context.TODO() to
ensure proper context propagation from the machineScope.

In `@pkg/actuators/machineset/ec2_instance_types.go`:
- Line 142: The call to awsClient.DescribeInstanceTypes uses context.TODO(),
preventing cancellation/timeouts and tracing; change fetchEC2InstanceTypes,
refresh, and GetInstanceType to accept a context.Context parameter and pass that
ctx through to awsClient.DescribeInstanceTypes (and any other AWS SDK calls)
instead of using context.TODO(); update all call sites to propagate the caller's
ctx so cancellation and deadlines flow through the call chain (functions to
edit: fetchEC2InstanceTypes, refresh, GetInstanceType).

In `@pkg/termination/handler.go`:
- Around line 119-131: The error return currently wraps the AWS SDK error
redundantly using fmt.Errorf("%w", err); in the GetMetadata error branch inside
the imdsClient.GetMetadata call replace that wrapping with a direct return of
the original error (i.e., return false, err) so the function preserves the
original error value instead of rewrapping it; keep the existing
smithyhttp.ResponseError 404 detection and the logger.V(2).Info branch intact.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 066942d3-68cd-4a5e-9b04-3507ee750da1

📥 Commits

Reviewing files that changed from the base of the PR and between 0dd849f and 7a53191.

⛔ Files ignored due to path filters (275)

go.sum is excluded by !**/*.sum
vendor/github.com/aws/aws-sdk-go-v2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/NOTICE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/credential_cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/auto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/configuration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/defaults.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/defaultsmode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/from_ptr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/logging.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/logging_generate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/osname.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/osname_go115.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/recursion_detection.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/request_id.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/request_id_retriever.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/ec2query/error_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/encoder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/restjson/decoder_util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/xml/error_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/token_bucket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/token_rate_limit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/request.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive_ratelimit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive_token_bucket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/attempt_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/jitter_backoff.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/throttle_error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retry/timeout_error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/retryer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/runtime.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/const.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/header_rules.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/hmac.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/host.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/scope.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/time.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/presign_middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/to_ptr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/content_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/response_error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/response_error_middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/auth_scheme_preference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/defaultsmode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/generate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/local.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve_bearer_token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_token_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetDynamicData.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetIAMInfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetInstanceIdentityDocument.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetMetadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetRegion.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetToken.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetUserData.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config/resolvers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/request_middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/token_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/scheme.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/bearer_token_adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/bearer_token_signer_adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/credentials_adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/smithy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/arn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/generate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/host.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/ini.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/sections.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/strings.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/tokenize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/rand/rand.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/sdk/interfaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/sdk/time.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/sdkio/byte.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/shareddefaults/shared_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/strings/strings.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/docs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/singleflight.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/timeconv/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptAddressTransfer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptCapacityReservationBillingOwnership.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptReservedInstancesExchangeQuote.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayMulticastDomainAssociations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayPeeringAttachment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayVpcAttachment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcEndpointConnections.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcPeeringConnection.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AdvertiseByoipCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateHosts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateIpamPoolCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ApplySecurityGroupsToClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignIpv6Addresses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateIpAddresses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateCapacityReservationBillingOwner.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateEnclaveCertificateIamRole.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIamInstanceProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateInstanceEventWindow.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamByoasn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamResourceDiscovery.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteServer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteTable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSecurityGroupVpc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSubnetCidrBlock.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayMulticastDomain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayPolicyTable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayRouteTable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTrunkInterface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateVpcCidrBlock.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachClassicLinkVpc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachInternetGateway.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachNetworkInterface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachVerifiedAccessTrustProvider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachVolume.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AttachVpnGateway.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AuthorizeClientVpnIngress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AuthorizeSecurityGroupEgress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AuthorizeSecurityGroupIngress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_BundleInstance.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelBundleTask.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelCapacityReservation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelCapacityReservationFleets.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelConversionTask.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelDeclarativePoliciesReport.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelExportTask.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelImageLaunchPermission.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelImportTask.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelReservedInstancesListing.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelSpotFleetRequests.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CancelSpotInstanceRequests.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ConfirmProductInstance.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopyFpgaImage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopyImage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopySnapshot.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CopyVolumes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityManagerDataExport.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityReservation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityReservationBySplitting.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCapacityReservationFleet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCarrierGateway.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateClientVpnEndpoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateClientVpnRoute.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCoipCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCoipPool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateCustomerGateway.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDefaultSubnet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDefaultVpc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDelegateMacVolumeOwnershipTask.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateEgressOnlyInternetGateway.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateFleet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateFlowLogs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateFpgaImage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateImage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateImageUsageReport.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceConnectEndpoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceEventWindow.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceExportTask.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInternetGateway.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInterruptibleCapacityReservationAllocation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpam.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamExternalResourceVerificationToken.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateIpamPolicy.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (25)

go.mod
pkg/actuators/machine/actuator_test.go
pkg/actuators/machine/controller_test.go
pkg/actuators/machine/dedicatedhosts.go
pkg/actuators/machine/dedicatedhosts_test.go
pkg/actuators/machine/filter.go
pkg/actuators/machine/instances.go
pkg/actuators/machine/instances_test.go
pkg/actuators/machine/loadbalancers.go
pkg/actuators/machine/loadbalancers_test.go
pkg/actuators/machine/machine_scope.go
pkg/actuators/machine/machine_scope_test.go
pkg/actuators/machine/reconciler.go
pkg/actuators/machine/reconciler_test.go
pkg/actuators/machine/stubs.go
pkg/actuators/machine/utils.go
pkg/actuators/machine/utils_test.go
pkg/actuators/machineset/controller_test.go
pkg/actuators/machineset/ec2_instance_types.go
pkg/client/client.go
pkg/client/client_test.go
pkg/client/fake/fake.go
pkg/client/mock/client_generated.go
pkg/termination/handler.go
pkg/termination/handler_test.go

coderabbitai · 2026-03-11T15:38:45Z

pkg/actuators/machine/dedicatedhosts.go

+	output, err := client.AllocateHosts(context.TODO(), allocateInput)
 	if err != nil {


⚠️ Potential issue | 🟠 Major

Pass the caller context into dedicated-host lifecycle calls.

Both host allocation and release now use the v2 client interface, but context.TODO() makes them uncancelable once the parent operation is canceled or times out. Please thread ctx through these helpers instead.

Also applies to: 67-67

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/actuators/machine/dedicatedhosts.go` around lines 44 - 45, The AllocateHosts/ReleaseHosts calls use context.TODO() which prevents cancellation propagation; update the surrounding helper functions in dedicatedhosts.go to accept a context.Context parameter (e.g., add ctx to the function signature that calls client.AllocateHosts and client.ReleaseHosts) and replace context.TODO() with the passed ctx when invoking client.AllocateHosts(ctx, allocateInput) and client.ReleaseHosts(ctx, releaseInput). Ensure all call sites of those helpers are updated to forward the upstream ctx so parent cancellations/timeouts propagate correctly.

coderabbitai · 2026-03-11T15:38:45Z

pkg/actuators/machine/instances_test.go

-			mockAWSClient.EXPECT().DescribeImages(gomock.Any()).Return(tc.imageOutput, tc.imageErr).AnyTimes()
-			mockAWSClient.EXPECT().RunInstances(tc.runInstancesInput).Return(tc.instancesOutput, tc.instancesErr).AnyTimes()
+			mockAWSClient.EXPECT().DescribeSecurityGroups(gomock.Any(), gomock.Any()).Return(tc.securityGroupOutput, tc.securityGroupErr).AnyTimes()
+			mockAWSClient.EXPECT().DescribeAvailabilityZones(gomock.Any(), gomock.Any()).Return(tc.zonesOutput, nil).AnyTimes()


⚠️ Potential issue | 🟡 Minor

Wire tc.azErr into the DescribeAvailabilityZones mock.

The "Subnet with availability zone with error" case currently never exercises the AWS error path because this expectation always returns nil for the error.

🧪 Suggested fix

- mockAWSClient.EXPECT().DescribeAvailabilityZones(gomock.Any(), gomock.Any()).Return(tc.zonesOutput, nil).AnyTimes() + mockAWSClient.EXPECT().DescribeAvailabilityZones(gomock.Any(), gomock.Any()).Return(tc.zonesOutput, tc.azErr).AnyTimes()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/actuators/machine/instances_test.go` at line 1191, The test currently stubs DescribeAvailabilityZones to always return nil error; update the mock expectation in the table-driven test so DescribeAvailabilityZones returns tc.zonesOutput, tc.azErr (i.e., wire tc.azErr into mockAWSClient.EXPECT().DescribeAvailabilityZones(...).Return(...)) so the `"Subnet with availability zone with error"` case can exercise the AWS error path; locate the call to mockAWSClient.EXPECT().DescribeAvailabilityZones(gomock.Any(), gomock.Any()).Return(tc.zonesOutput, nil).AnyTimes() and change the returned error to tc.azErr.

coderabbitai · 2026-03-11T15:38:45Z

pkg/actuators/machine/instances.go

+func getSecurityGroupsIDs(securityGroups []machinev1beta1.AWSResourceReference, client awsclient.Client) ([]string, error) {
+	var securityGroupIDs []string
 	for _, g := range securityGroups {
 		// ID has priority
 		if g.ID != nil {
-			securityGroupIDs = append(securityGroupIDs, g.ID)
+			securityGroupIDs = append(securityGroupIDs, *g.ID)
 		} else if g.Filters != nil {
 			klog.Info("Describing security groups based on filters")
 			// Get groups based on filters
 			describeSecurityGroupsRequest := ec2.DescribeSecurityGroupsInput{
 				Filters: buildEC2Filters(g.Filters),
 			}
-			describeSecurityGroupsResult, err := client.DescribeSecurityGroups(&describeSecurityGroupsRequest)
+			describeSecurityGroupsResult, err := client.DescribeSecurityGroups(context.TODO(), &describeSecurityGroupsRequest)


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

wc -l pkg/actuators/machine/instances.go

Repository: openshift/machine-api-provider-aws

Length of output: 116

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '70,100p'

Repository: openshift/machine-api-provider-aws

Length of output: 1356

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '100,160p'

Repository: openshift/machine-api-provider-aws

Length of output: 2911

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '165,230p'

Repository: openshift/machine-api-provider-aws

Length of output: 2704

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '265,280p'

Repository: openshift/machine-api-provider-aws

Length of output: 733

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '540,550p'

Repository: openshift/machine-api-provider-aws

Length of output: 630

🏁 Script executed:

head -30 pkg/actuators/machine/instances.go

Repository: openshift/machine-api-provider-aws

Length of output: 857

🏁 Script executed:

fd client.go pkg/client

Repository: openshift/machine-api-provider-aws

Length of output: 98

🏁 Script executed:

cat -n pkg/client/client.go | head -100

Repository: openshift/machine-api-provider-aws

Length of output: 5864

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '485,510p'

Repository: openshift/machine-api-provider-aws

Length of output: 1550

🏁 Script executed:

rg "launchInstance|getSecurityGroupsIDs|getSubnetIDs|getAMI|getBlockDeviceMappings" pkg/actuators/machine/instances.go -n

Repository: openshift/machine-api-provider-aws

Length of output: 1419

🏁 Script executed:

rg "launchInstance" pkg/actuators/machine/ -n

Repository: openshift/machine-api-provider-aws

Length of output: 908

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '355,365p'

Repository: openshift/machine-api-provider-aws

Length of output: 713

🏁 Script executed:

rg "func.*Create\|func.*create" pkg/actuators/machine/instances.go -n

Repository: openshift/machine-api-provider-aws

Length of output: 60

🏁 Script executed:

cat -n pkg/actuators/machine/reconciler.go | sed -n '95,110p'

Repository: openshift/machine-api-provider-aws

Length of output: 794

🏁 Script executed:

cat -n pkg/actuators/machine/reconciler.go | sed -n '1,50p'

Repository: openshift/machine-api-provider-aws

Length of output: 2137

🏁 Script executed:

rg "func.*Reconcile" pkg/actuators/machine/reconciler.go -n -A 3

Repository: openshift/machine-api-provider-aws

Length of output: 2783

🏁 Script executed:

cat -n pkg/actuators/machine/reconciler.go | grep -A 20 "type machineScope"

Repository: openshift/machine-api-provider-aws

Length of output: 60

🏁 Script executed:

rg "type machineScope struct" pkg/actuators/machine/ -A 15

Repository: openshift/machine-api-provider-aws

Length of output: 1232

🏁 Script executed:

cat -n pkg/actuators/machine/machine_scope.go | sed -n '1,50p'

Repository: openshift/machine-api-provider-aws

Length of output: 1915

Stop dropping the reconcile context on these AWS calls.

The v2 client surface now accepts context.Context, but these helpers still hardcode context.TODO() for every EC2 request. The reconciler has access to a deadline/cancellation context through machineScope, but it's never passed into launchInstance or any of the helper functions (getSecurityGroupsIDs, getSubnetIDs, getAMI, getBlockDeviceMappings, getAvalabilityZoneFromSubnetID, getAvalabilityZoneTypeFromZoneName). That means controller cancellation/timeouts never reach AWS, so a cancelled reconcile can keep doing network I/O and then race the next retry. Please thread the caller context through these helpers and use it consistently instead.

Occurs at: lines 90, 130, 149, 172, 195, 225, 272, 546

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/actuators/machine/instances.go` around lines 78 - 90, The helper functions (getSecurityGroupsIDs, getSubnetIDs, getAMI, getBlockDeviceMappings, getAvalabilityZoneFromSubnetID, getAvalabilityZoneTypeFromZoneName) and their caller launchInstance are using context.TODO() for AWS SDK calls; change their signatures to accept a context.Context parameter and thread the reconciler's context (from machineScope or the caller) through to each helper and ultimately into client.DescribeSecurityGroups / DescribeSubnets / DescribeImages / DescribeAvailabilityZones / DescribeInstances calls so the v2 AWS client receives the real cancelled/deadline-aware context instead of context.TODO(); update all call sites (including launchInstance callers) to pass the incoming ctx along.

coderabbitai · 2026-03-11T15:38:45Z

pkg/actuators/machine/loadbalancers.go

 			LoadBalancerName: aws.String(elbName),
 		}
-		_, err := client.RegisterInstancesWithLoadBalancer(req)
+		_, err := client.RegisterInstancesWithLoadBalancer(context.TODO(), req)


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

wc -l pkg/actuators/machine/loadbalancers.go

Repository: openshift/machine-api-provider-aws

Length of output: 120

🏁 Script executed:

cat -n pkg/actuators/machine/loadbalancers.go | head -200

Repository: openshift/machine-api-provider-aws

Length of output: 9212

🏁 Script executed:

# Let's look specifically at the lines mentioned in the review cat -n pkg/actuators/machine/loadbalancers.go | sed -n '1,100p'

Repository: openshift/machine-api-provider-aws

Length of output: 4788

🏁 Script executed:

# Get more context around the problematic areas cat -n pkg/actuators/machine/loadbalancers.go | sed -n '60,90p'

Repository: openshift/machine-api-provider-aws

Length of output: 1753

🏁 Script executed:

# Check the full function signatures and context propagation cat -n pkg/actuators/machine/loadbalancers.go | sed -n '1,40p'

Repository: openshift/machine-api-provider-aws

Length of output: 1687

🏁 Script executed:

rg -n "registerWithClassicLoadBalancers|registerWithNetworkLoadBalancers|deregisterNetworkLoadBalancers" --type go

Repository: openshift/machine-api-provider-aws

Length of output: 1368

🏁 Script executed:

# Check if there are other target types beyond Instance and Ip rg -n "TargetType" --type go

Repository: openshift/machine-api-provider-aws

Length of output: 12641

🏁 Script executed:

sed -n '410,430p' pkg/actuators/machine/reconciler.go

Repository: openshift/machine-api-provider-aws

Length of output: 788

🏁 Script executed:

sed -n '440,460p' pkg/actuators/machine/reconciler.go

Repository: openshift/machine-api-provider-aws

Length of output: 746

🏁 Script executed:

# Get function signature for the callers to see if context is available sed -n '1,50p' pkg/actuators/machine/reconciler.go | head -50

Repository: openshift/machine-api-provider-aws

Length of output: 1787

🏁 Script executed:

# Find the method containing these calls to understand context availability sed -n '300,430p' pkg/actuators/machine/reconciler.go

Repository: openshift/machine-api-provider-aws

Length of output: 5278

🏁 Script executed:

# Check the machineScope or Reconciler struct for context rg -n "func.*create|func.*terminate" pkg/actuators/machine/reconciler.go | head -20

Repository: openshift/machine-api-provider-aws

Length of output: 118

🏁 Script executed:

# Check the machineScope structure to see if it has context rg -n "type machineScope|Context" pkg/actuators/machine/reconciler.go | head -30

Repository: openshift/machine-api-provider-aws

Length of output: 269

🏁 Script executed:

# Find where Context is defined in machineScope fd -t f "*.go" -x grep -l "machineScope" {} \;

Repository: openshift/machine-api-provider-aws

Length of output: 361

🏁 Script executed:

# Check the machine scope file cat pkg/actuators/machine/machine_scope.go | head -100

Repository: openshift/machine-api-provider-aws

Length of output: 3616

🏁 Script executed:

# Check the AWS SDK to see all possible TargetTypeEnum values grep -A 10 "type TargetTypeEnum" vendor/github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types/enums.go

Repository: openshift/machine-api-provider-aws

Length of output: 422

🏁 Script executed:

# Also verify the exact line number for the nil dereference and check surrounding context more carefully sed -n '50,78p' pkg/actuators/machine/loadbalancers.go

Repository: openshift/machine-api-provider-aws

Length of output: 1392

Propagate the caller context through ELB and ELBv2 operations, and handle all supported target group types.

Every AWS call in this file is made with context.TODO(), so registration/deregistration work can continue after the parent operation has already been canceled. These helper functions should accept ctx from their callers (available via Reconciler.Context) and forward it to the AWS SDK calls instead.

Additionally, registerWithNetworkLoadBalancers() only initializes target for instance and ip target types. If a target group uses lambda or alb type (both supported by AWS), target.Id remains nil, causing a panic at line 73 when dereferenced.

Also applies to: 83-83, 125-125, 151-151, 163-163, 182-182

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/actuators/machine/loadbalancers.go` at line 31, The functions that call AWS ELB/ELBv2 APIs (e.g., RegisterInstancesWithLoadBalancer invocation and registerWithNetworkLoadBalancers, plus the deregister counterparts) should accept a caller context parameter (ctx) and pass that ctx into all SDK calls instead of using context.TODO(); update the signatures where needed and replace context.TODO() with ctx for calls like client.RegisterInstancesWithLoadBalancer and client.RegisterTargets/RegisterTargetGroup/etc. In registerWithNetworkLoadBalancers and similar helpers, avoid dereferencing target.Id unconditionally: only read target.Id for target.Type == "instance" or "ip" (and set the InstanceId/TargetId appropriately), and for "lambda" or "alb" target types either leave the field nil or handle them according to AWS contract (do not call aws.StringValue on a nil pointer); add a nil-check (e.g., if target.Id != nil) or a switch on target.Type to safely build the target description to prevent the panic. Ensure the same ctx propagation and target-type-safe handling is applied to the other referenced call sites (lines noted) for both register and deregister flows.

coderabbitai · 2026-03-11T15:38:45Z

pkg/actuators/machine/loadbalancers.go

+		var target elbv2types.TargetDescription
+		switch string(targetGroup.TargetType) {
+		case string(elbv2types.TargetTypeEnumInstance):
+			target = elbv2types.TargetDescription{
 				Id: instance.InstanceId,
 			}
-			klog.V(4).Infof("Registering instance %q by instance ID to target group: %v", *instance.InstanceId, *targetGroup.TargetGroupArn)
-		case elbv2.TargetTypeEnumIp:
-			target = &elbv2.TargetDescription{
+			klog.V(4).Infof("Registering instance %q by instance ID to target group: %v", *instance.InstanceId, aws.ToString(targetGroup.TargetGroupArn))
+		case string(elbv2types.TargetTypeEnumIp):
+			target = elbv2types.TargetDescription{
 				Id: instance.PrivateIpAddress,
 			}
-			klog.V(4).Infof("Registering instance %q by IP to target group: %v", *instance.InstanceId, *targetGroup.TargetGroupArn)
+			klog.V(4).Infof("Registering instance %q by IP to target group: %v", *instance.InstanceId, aws.ToString(targetGroup.TargetGroupArn))
 		}


⚠️ Potential issue | 🟠 Major

Handle unknown target types before dereferencing target.Id.

Only the instance and ip cases initialize target, so any other TargetType leaves target.Id nil and Line 73 will panic. A default branch plus a nil-ID guard would fail cleanly here.

🛡️ Suggested guard

var target elbv2types.TargetDescription switch string(targetGroup.TargetType) { case string(elbv2types.TargetTypeEnumInstance): target = elbv2types.TargetDescription{ Id: instance.InstanceId, } klog.V(4).Infof("Registering instance %q by instance ID to target group: %v", *instance.InstanceId, aws.ToString(targetGroup.TargetGroupArn)) case string(elbv2types.TargetTypeEnumIp): target = elbv2types.TargetDescription{ Id: instance.PrivateIpAddress, } klog.V(4).Infof("Registering instance %q by IP to target group: %v", *instance.InstanceId, aws.ToString(targetGroup.TargetGroupArn)) + default: + errs = append(errs, fmt.Errorf("%s: unsupported target type %q", aws.ToString(targetGroup.TargetGroupArn), targetGroup.TargetType)) + continue } + if target.Id == nil { + errs = append(errs, fmt.Errorf("%s: missing target identifier for target type %q", aws.ToString(targetGroup.TargetGroupArn), targetGroup.TargetType)) + continue + }

Also applies to: 67-75

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/actuators/machine/loadbalancers.go` around lines 53 - 65, The switch on targetGroup.TargetType only sets target.Id for Instance and Ip and can leave target.Id nil, so add a default case in the switch (checking targetGroup.TargetType) that logs/returns/skips for unsupported target types instead of leaving target uninitialized; then before any dereference of target.Id (or before using it in registration/logging) add a nil guard like if target.Id == nil { klog.Errorf("unsupported or missing target id for target group %v", aws.ToString(targetGroup.TargetGroupArn)); continue/return/error } and use aws.ToString(target.Id) (or otherwise safely handle the nil) when logging/using the ID; update the switch block that handles elbv2types.TargetTypeEnumInstance and elbv2types.TargetTypeEnumIp and the subsequent registration/logging code to include these guards.

coderabbitai · 2026-03-11T15:38:45Z

pkg/actuators/machine/utils.go

 	}

-	result, err := client.DescribeInstances(request)
+	result, err := client.DescribeInstances(context.TODO(), request)


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '110,130p'

Repository: openshift/machine-api-provider-aws

Length of output: 843

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '190,210p'

Repository: openshift/machine-api-provider-aws

Length of output: 933

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '220,240p'

Repository: openshift/machine-api-provider-aws

Length of output: 814

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '255,275p'

Repository: openshift/machine-api-provider-aws

Length of output: 777

🏁 Script executed:

rg -n "^func.*getInstanceByID|^func.*correctExistingTags|^func.*getInstances|^func.*terminateInstances" pkg/actuators/machine/utils.go

Repository: openshift/machine-api-provider-aws

Length of output: 611

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '100,120p'

Repository: openshift/machine-api-provider-aws

Length of output: 852

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '175,210p'

Repository: openshift/machine-api-provider-aws

Length of output: 1446

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '205,230p'

Repository: openshift/machine-api-provider-aws

Length of output: 1062

🏁 Script executed:

cat -n pkg/actuators/machine/utils.go | sed -n '245,265p'

Repository: openshift/machine-api-provider-aws

Length of output: 1158

🏁 Script executed:

rg -n "getInstanceByID|correctExistingTags|getInstances|terminateInstances" pkg/actuators/machine/utils.go | grep -v "^[0-9]*:func\|^[0-9]*://"

Repository: openshift/machine-api-provider-aws

Length of output: 431

🏁 Script executed:

fd "\.go$" pkg/actuators/machine | xargs rg -l "getInstanceByID|correctExistingTags|getInstances|terminateInstances" | head -5

Repository: openshift/machine-api-provider-aws

Length of output: 219

🏁 Script executed:

rg -n -B 5 "getInstanceByID|getInstances\(" pkg/actuators/machine/instances.go | head -50

Repository: openshift/machine-api-provider-aws

Length of output: 60

🏁 Script executed:

rg -n -B 5 "terminateInstances|correctExistingTags" pkg/actuators/machine/instances.go | head -50

Repository: openshift/machine-api-provider-aws

Length of output: 258

🏁 Script executed:

rg -n "func.*$ctx\|context" pkg/actuators/machine/instances.go | head -10

Repository: openshift/machine-api-provider-aws

Length of output: 60

🏁 Script executed:

rg -n "func.*\(ctx\|context" pkg/actuators/machine/reconciler.go | head -10

Repository: openshift/machine-api-provider-aws

Length of output: 60

🏁 Script executed:

cat -n pkg/actuators/machine/instances.go | sed -n '45,75p'

Repository: openshift/machine-api-provider-aws

Length of output: 1218

🏁 Script executed:

rg -n "context\." pkg/actuators/machine/instances.go | head -15

Repository: openshift/machine-api-provider-aws

Length of output: 854

🏁 Script executed:

rg -n "context\." pkg/actuators/machine/reconciler.go | head -15

Repository: openshift/machine-api-provider-aws

Length of output: 60

🏁 Script executed:

rg -n "^func \(.*$" pkg/actuators/machine/instances.go | head -20

Repository: openshift/machine-api-provider-aws

Length of output: 209

🏁 Script executed:

rg -n "^func $.*$" pkg/actuators/machine/reconciler.go | head -20

Repository: openshift/machine-api-provider-aws

Length of output: 892

🏁 Script executed:

cat -n pkg/actuators/machine/reconciler.go | head -100 | tail -50

Repository: openshift/machine-api-provider-aws

Length of output: 2792

🏁 Script executed:

rg -n "type Reconciler struct" pkg/actuators/machine/reconciler.go -A 20

Repository: openshift/machine-api-provider-aws

Length of output: 895

🏁 Script executed:

rg -n "Context" pkg/actuators/machine/reconciler.go | head -10

Repository: openshift/machine-api-provider-aws

Length of output: 269

🏁 Script executed:

rg -n "type machineScope struct" pkg/actuators/machine/ -A 15

Repository: openshift/machine-api-provider-aws

Length of output: 1280

🏁 Script executed:

grep -n "Context.*context" pkg/actuators/machine/machine_scope.go | head -10

Repository: openshift/machine-api-provider-aws

Length of output: 60

Propagate the caller context into these EC2 requests.

Using context.TODO() here discards cancellation and deadlines from the request path. The context is available through the machineScope.Context embedded field at entry points and should be threaded through these helper functions instead of being discarded.

Affected lines: 117, 198, 225, 261

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/actuators/machine/utils.go` at line 117, The EC2 calls use context.TODO() which discards cancellation/deadline propagation; update the helper functions that call client.DescribeInstances (and similar EC2 client calls at the noted locations) to accept a context.Context parameter (or accept the machine scope so you can read machineScope.Context) and replace context.TODO() with that context (use machineScope.Context where these helpers are invoked). Locate all occurrences of client.DescribeInstances(...) and other EC2 calls in this file and thread the caller context through the function signatures and call sites so cancellation and deadlines from machineScope.Context are honored.

coderabbitai · 2026-03-11T15:38:45Z

pkg/client/client.go

+	GetCachedDescribeRegions(ctx context.Context, cfg aws.Config) (*ec2.DescribeRegionsOutput, error)
 }


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd / && find . -type f -name "client.go" | grep "pkg/client" | head -5

Repository: openshift/machine-api-provider-aws

Length of output: 522

🏁 Script executed:

wc -l pkg/client/client.go

Repository: openshift/machine-api-provider-aws

Length of output: 102

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '1,50p'

Repository: openshift/machine-api-provider-aws

Length of output: 1967

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '240,280p'

Repository: openshift/machine-api-provider-aws

Length of output: 1614

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '260,280p'

Repository: openshift/machine-api-provider-aws

Length of output: 984

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '50,150p'

Repository: openshift/machine-api-provider-aws

Length of output: 6962

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '273,320p'

Repository: openshift/machine-api-provider-aws

Length of output: 2115

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '150,240p'

Repository: openshift/machine-api-provider-aws

Length of output: 5001

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '320,400p'

Repository: openshift/machine-api-provider-aws

Length of output: 4008

🏁 Script executed:

grep -n "newAWSConfig" pkg/client/client.go | head -10

Repository: openshift/machine-api-provider-aws

Length of output: 607

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '330,450p'

Repository: openshift/machine-api-provider-aws

Length of output: 5604

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '390,430p'

Repository: openshift/machine-api-provider-aws

Length of output: 1502

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '444,480p'

Repository: openshift/machine-api-provider-aws

Length of output: 1761

🏁 Script executed:

cat -n pkg/client/client.go | sed -n '212,227p'

Repository: openshift/machine-api-provider-aws

Length of output: 1002

🏁 Script executed:

grep -n "GetCachedDescribeRegions\|RegionCache" pkg/client/client.go

Repository: openshift/machine-api-provider-aws

Length of output: 1069

Region validation bypasses the configured EC2 endpoint.

newAWSConfig() resolves custom EC2 BaseEndpoint options and returns them separately as ec2OptFns, but GetCachedDescribeRegions() receives only aws.Config and creates an EC2 client without these service options. When custom endpoints are configured via Infrastructure.Status.PlatformStatus.AWS.ServiceEndpoints, the region validation uses the default endpoint instead of the configured one, while the actual client created afterward applies the configuration correctly. Pass the EC2 option functions to the cache method or apply them when building the validation client.

Also applies to: 275-297, 333-345, 397-401

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/client/client.go` around lines 262 - 263, GetCachedDescribeRegions is building an EC2 client from only aws.Config, so it ignores the service-specific ec2OptFns (resolved in newAWSConfig) and thus validates regions against the default endpoint; update the cache API and callers to accept and forward the EC2 service option funcs (ec2OptFns) or apply those funcs when constructing the validation EC2 client inside GetCachedDescribeRegions so the DescribeRegions call uses the configured BaseEndpoint; search for newAWSConfig, ec2OptFns, and GetCachedDescribeRegions (and the other affected cached methods referenced around lines 275-297, 333-345, 397-401) and ensure each callsite passes the ec2 option functions through to the cache and that the cache uses them when creating the ec2.NewFromConfig client.

openshift-ci · 2026-03-11T20:58:45Z

@RadekManak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/goimports	`7a53191`	link	true	`/test goimports`
ci/prow/e2e-aws	`7a53191`	link	true	`/test e2e-aws`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-merge-robot · 2026-03-11T20:58:58Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 11, 2026

openshift-ci bot requested review from chrischdi and nrb March 11, 2026 15:25

coderabbitai bot reviewed Mar 11, 2026

View reviewed changes

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 11, 2026

		output, err := client.AllocateHosts(context.TODO(), allocateInput)
		if err != nil {

		GetCachedDescribeRegions(ctx context.Context, cfg aws.Config) (*ec2.DescribeRegionsOutput, error)
		}

Conversation

RadekManak commented Mar 11, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Release Notes

Uh oh!

RadekManak commented Mar 11, 2026

Uh oh!

coderabbitai bot commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning, 1 inconclusive)

Uh oh!

openshift-ci bot commented Mar 11, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Mar 11, 2026

Uh oh!

openshift-merge-robot commented Mar 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

RadekManak commented Mar 11, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Mar 11, 2026 •

edited

Loading