andrewjjenkins/dynamo-egress.yaml

## dynamo-egress.yaml
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
  name: aws-dynamo-us-west-2-egress
  namespace: default
spec:
  destination:
    service: dynamodb.us-west-2.amazonaws.com
  ports:
  - port: 443
    protocol: https

## useWrapped.go
import (
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/dynamodb"
	"github.com/you/repo/pkg/awswrapper"
)

type Dynamo struct {
	Session *session.Session
	Db      *dynamodb.DynamoDB
}

func NewWithConfig(cfg *aws.Config) (*Dynamo, error) {
	sess, err := awswrapper.AwsSession("Test", cfg)
	if err != nil {
		return nil, err
	}

	dyn := &Dynamo{
		Session: sess,
		Db:      dynamodb.New(sess),
	}
	return dyn, nil
}

## wrapAwsSession.go
package awswrapper

import (
	"net/http"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/endpoints"
	"github.com/aws/aws-sdk-go/aws/request"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/golang/glog"

	"github.com/you/repo/pkg/tracing"
)

type Config struct {
	InMesh   bool
	Endpoint string // http://dynamodb.us-west-2.amazonaws.com
	Label    string // Used in logging messages to identify
}

func istioEgressEPResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
	ep, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
	if err != nil {
		return ep, err
	}
	ep.URL = ep.URL + ":443"
	return ep, nil
}

func AwsConfig(cfg Config) *aws.Config {
	config := aws.NewConfig().
		WithEndpoint(cfg.Endpoint)

	if cfg.InMesh {
		glog.Infof("Using http for AWS for %s", cfg.Label)
		config = config.WithDisableSSL(true).
			WithEndpointResolver(endpoints.ResolverFunc(istioEgressEPResolver))
	}
	return config
}

func AwsSession(label string, cfg *aws.Config) (*session.Session, error) {
	sess, err := session.NewSession(cfg)
	if err != nil {
		return nil, err
	}

	// This has to be the first handler before core.SendHandler which
	// performs the operation of sending request over the wire.
	// Note that Send Handler is used which are invoked after the signing of
	// request is completed which means Tracing headers would not be signed.
	// Signing of tracing headers causes request failures as Istio changes the
	// headers and signature validation fails.
	sess.Handlers.Send.PushFront(addTracingHeaders)
	sess.Handlers.Send.PushBack(func(r *request.Request) {
		glog.V(6).Infof("%s: %s %s://%s%s",
			label,
			r.HTTPRequest.Method,
			r.HTTPRequest.URL.Scheme,
			r.HTTPRequest.URL.Host,
			r.HTTPRequest.URL.Path,
		)
	})
	// This handler is added after core.SendHandler so that the tracing headers
	// can be removed. This is required in case of retries, the request is signed
	// again and if the request headers contain Tracing headers retry signature
	// validation will fail as Istio will update these headers.
	sess.Handlers.Send.PushBack(removeTracingHeaders)

	return sess, nil
}
	apiVersion: config.istio.io/v1alpha2
	kind: EgressRule
	metadata:
	name: aws-dynamo-us-west-2-egress
	namespace: default
	spec:
	destination:
	service: dynamodb.us-west-2.amazonaws.com
	ports:
	- port: 443
	protocol: https
	import (
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/dynamodb"
	"github.com/you/repo/pkg/awswrapper"
	)

	type Dynamo struct {
	Session *session.Session
	Db *dynamodb.DynamoDB
	}

	func NewWithConfig(cfg aws.Config) (Dynamo, error) {
	sess, err := awswrapper.AwsSession("Test", cfg)
	if err != nil {
	return nil, err
	}

	dyn := &Dynamo{
	Session: sess,
	Db: dynamodb.New(sess),
	}
	return dyn, nil
	}
	package awswrapper

	import (
	"net/http"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/endpoints"
	"github.com/aws/aws-sdk-go/aws/request"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/golang/glog"

	"github.com/you/repo/pkg/tracing"
	)

	type Config struct {
	InMesh bool
	Endpoint string // http://dynamodb.us-west-2.amazonaws.com
	Label string // Used in logging messages to identify
	}

	func istioEgressEPResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
	ep, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...)
	if err != nil {
	return ep, err
	}
	ep.URL = ep.URL + ":443"
	return ep, nil
	}

	func AwsConfig(cfg Config) *aws.Config {
	config := aws.NewConfig().
	WithEndpoint(cfg.Endpoint)

	if cfg.InMesh {
	glog.Infof("Using http for AWS for %s", cfg.Label)
	config = config.WithDisableSSL(true).
	WithEndpointResolver(endpoints.ResolverFunc(istioEgressEPResolver))
	}
	return config
	}

	func AwsSession(label string, cfg aws.Config) (session.Session, error) {
	sess, err := session.NewSession(cfg)
	if err != nil {
	return nil, err
	}

	// This has to be the first handler before core.SendHandler which
	// performs the operation of sending request over the wire.
	// Note that Send Handler is used which are invoked after the signing of
	// request is completed which means Tracing headers would not be signed.
	// Signing of tracing headers causes request failures as Istio changes the
	// headers and signature validation fails.
	sess.Handlers.Send.PushFront(addTracingHeaders)
	sess.Handlers.Send.PushBack(func(r *request.Request) {
	glog.V(6).Infof("%s: %s %s://%s%s",
	label,
	r.HTTPRequest.Method,
	r.HTTPRequest.URL.Scheme,
	r.HTTPRequest.URL.Host,
	r.HTTPRequest.URL.Path,
	)
	})
	// This handler is added after core.SendHandler so that the tracing headers
	// can be removed. This is required in case of retries, the request is signed
	// again and if the request headers contain Tracing headers retry signature
	// validation will fail as Istio will update these headers.
	sess.Handlers.Send.PushBack(removeTracingHeaders)

	return sess, nil
	}