From 6c0f74e4b37b8ef81c927adca1112680d0bf2ad0 Mon Sep 17 00:00:00 2001
From: Otavio Macedo <288203+otaviomacedo@users.noreply.github.com>
Date: Wed, 27 Nov 2024 08:24:40 +0000
Subject: [PATCH] fix(cli): assume role calls are skipping the proxy (#32291)

`STSClientConfig` and `NodeHttpHandlerOptions` are different types, but all have optional properties only. That means that a call like this:

```ts
const credentials = await fromTemporaryCredentials({
  masterCredentials: mainCredentials.credentials,
  params: {
    RoleArn: roleArn,
    ExternalId: externalId,
    RoleSessionName: `aws-cdk-${safeUsername()}`,
    ...additionalOptions,
    TransitiveTagKeys: additionalOptions?.Tags ? additionalOptions.Tags.map((t) => t.Key!) : undefined,
  },
  clientConfig: {
    region,
    ...this.requestHandler, // type NodeHttpHandlerOptions
  },
})();
```

compiles just fine, when the intention was to write:

```ts
fromTemporaryCredentials({
  ...
  clientConfig: {
    region,
    requestHandler: this.requestHandler, // type NodeHttpHandlerOptions
  },
});
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../tests/cli-integ-tests/cli.integtest.ts      | 17 ++++++++++++++---
 .../aws-cdk/lib/api/aws-auth/sdk-provider.ts    |  2 +-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts b/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts
index 67ba684fc9915..c96fab3a476ba 100644
--- a/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts
+++ b/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts
@@ -1,4 +1,5 @@
 import { existsSync, promises as fs } from 'fs';
+import * as querystring from 'node:querystring';
 import * as os from 'os';
 import * as path from 'path';
 import {
@@ -23,6 +24,7 @@ import { PutObjectLockConfigurationCommand } from '@aws-sdk/client-s3';
 import { CreateTopicCommand, DeleteTopicCommand } from '@aws-sdk/client-sns';
 import { AssumeRoleCommand, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
 import * as mockttp from 'mockttp';
+import { CompletedRequest } from 'mockttp';
 import {
   cloneDirectory,
   integTest,
@@ -2846,10 +2848,19 @@ integTest('requests go through a proxy when configured',
       });
     } finally {
       await fs.rm(certDir, { recursive: true, force: true });
+      await proxyServer.stop();
     }
 
-    // Checking that there was some interaction with the proxy
-    const requests = await endpoint.getSeenRequests();
-    expect(requests.length).toBeGreaterThan(0);
+    const actionsUsed = actions(await endpoint.getSeenRequests());
+    expect(actionsUsed).toContain('AssumeRole');
+    expect(actionsUsed).toContain('CreateChangeSet');
   }),
 );
+
+function actions(requests: CompletedRequest[]): string[] {
+  return [...new Set(requests
+    .map(req => req.body.buffer.toString('utf-8'))
+    .map(body => querystring.decode(body))
+    .map(x => x.Action as string)
+    .filter(action => action != null))];
+}
diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
index 0aded40cfce1f..e1d631672d39e 100644
--- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
@@ -375,7 +375,7 @@ export class SdkProvider {
         },
         clientConfig: {
           region,
-          ...this.requestHandler,
+          requestHandler: this.requestHandler,
         },
       })();