feat(integration): enable CodeBuild and Nix for rust integration tests#5578
Merged
kaukabrizvi merged 33 commits intoaws:mainfrom Oct 31, 2025
Merged
feat(integration): enable CodeBuild and Nix for rust integration tests#5578kaukabrizvi merged 33 commits intoaws:mainfrom
kaukabrizvi merged 33 commits intoaws:mainfrom
Conversation
dougch
reviewed
Oct 24, 2025
Contributor
dougch
left a comment
There was a problem hiding this comment.
Great start; I have some requests and we should chat offline about a couple items.
jmayclin
reviewed
Oct 28, 2025
jmayclin
reviewed
Oct 31, 2025
nix/shell.sh
Outdated
| -DCMAKE_BUILD_TYPE=RelWithDebInfo | ||
|
|
||
| # Check if we're in a rust shell by looking for S2N_RUST_MODE environment variable | ||
| if [[ "$S2N_RUST_MODE" == "1" ]]; then |
Contributor
There was a problem hiding this comment.
Let's maybe chat offline about this?
It looks like there isn't actually any reused code in this functions. It's either entirely the if block of the else block, which seems like maybe it should just be a different function? Maybe that would also let us drop the S2N_CMAKE_OPTIONS?
Contributor
Author
There was a problem hiding this comment.
Chatted offline, will split this into rust_configure and rust_build functions since it makes the code more readable and will add documentation for the local dev. workflow.
…build (#5) * use Nix clang/LLVM bintools + cmake/ninja; set CC/CXX and llvm-* in shellHook * add static AWS-LC builds for Rust integration compatibility * simplify logic to enable rust integration tests * Add rust integ codebuild job * Remove LLVM to test in codebuild * identify clang path for bindgen * specify cargo version in rust_integration * use Nix Rust toolchain (no rustup) to fix CI cargo resolution * run Rust generator from correct crate * Specify s2n directory for codebuild access * Subshell to avoid early exit in rust_integration * Add postbuild phase * add cargo debug statement * Add debug statements to diagnose cargo rustup issues * Force rust install to resolve rustup toolchain issues * Get rid of unecessary build step in spec * Simplify build logic and correct string matching in capability check * Fix unbound var error in spec * Add expected test failures for PQ MLDsa * Simplify nix reqs * Add s2n no headbuild var for testing * Fix syntax err * set no headbuild for all libcryptos * Temporary fix to check integv2 compatibility * Undo temporary branch naming change
Co-authored-by: James Mayclin <maycj@amazon.com>
jmayclin
approved these changes
Oct 31, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal:
Develop scaffolding for Rust integration testing within Nix-based tooling to support CI coverage across aws-lc, aws-lc-fips, OpenSSL 3.X, OpenSSL 1.1.1, and OpenSSL 1.0.2. This PR builds on the utilities for rust integration tests implemented in #5475
Why:
We would like to improve integration tests to make them easier to debug, performant, and possible to run locally so we are pursuing rust based integration tests. Previously, our CI lacked dedicated Nix-based Rust integration scaffolding. This PR modifies the nix dev shells to ensure the rust_integration function can run in a nix environment without unresolved symbol or link-time dependency errors. Currently the test stored in bindings/rust/standard/integration are run in this environment
Currently, the lack of libclang and cargo support in nix result in failures when generating s2n-tls rust bindings in a nix-based environment. This PR modifies the nix environment and rust_integration function to support the build such that it builds consistently in the local nix environment and in CI. Additionally, aws-lc builds provide a shared lib by default in nix, but static linking is required for internal libcrypto builds, so this modifies the build flags to ensure successful builds in Rust.
Current Rust tests only gated on a combined PQAlgorithms flag, masking differences between ML-KEM and ML-DSA support between aws-lc and aws-lc-fips.
How:
Testing:
Ran codebuild batch build for the integ_rust buildspec to verify that Rust integration tests pass across all libcrypto variants via the new Nix+CodeBuild matrix.
Ran existing IntegV2 batch build which is unaffected.
Next Steps:
Future PRs will introduce the batch build to GH actions and expand Rust coverage to replace Integration V2 cases.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.