Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add permissions for ELB to create service linked roles #489

Merged
merged 3 commits into from
Jan 24, 2019
Merged

Add permissions for ELB to create service linked roles #489

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3056c80
iam: Change policy conditions to interface{}
randomvariable Jan 23, 2019
73f650f
iam: Add Condition workaround for GoFormation
randomvariable Jan 23, 2019
61b17df
cloudformation: Extend ELB perms
randomvariable Jan 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cmd/clusterawsadm/cmd/alpha/bootstrap/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ go_library(
visibility = ["//visibility:public"],
deps = [
"//pkg/cloud/aws/services/cloudformation:go_default_library",
"//pkg/cloud/aws/services/iam:go_default_library",
"//pkg/cloud/aws/services/sts:go_default_library",
"//vendor/github.com/aws/aws-sdk-go/aws/session:go_default_library",
"//vendor/github.com/aws/aws-sdk-go/service/cloudformation:go_default_library",
Expand Down
3 changes: 2 additions & 1 deletion cmd/clusterawsadm/cmd/alpha/bootstrap/bootstrap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
awssts "github.com/aws/aws-sdk-go/service/sts"
"github.com/spf13/cobra"
"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/cloudformation"
"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/iam"
"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/sts"
)

Expand Down Expand Up @@ -106,7 +107,7 @@ Instructions for obtaining the AWS account ID can be found on https://docs.aws.a
return err
}

fmt.Print(string(j))
fmt.Print(iam.ProcessPolicyDocument(string(j)))
return nil
},
}
Expand Down
15 changes: 14 additions & 1 deletion pkg/cloud/aws/services/cloudformation/bootstrap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,19 @@ func controllersPolicy(accountID string) *iam.PolicyDocument {
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
},
},
{
Effect: iam.EffectAllow,
Resource: iam.Resources{fmt.Sprintf(
"arn:aws:iam::%s:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
accountID),
},
Action: iam.Actions{
"iam:CreateServiceLinkedRole",
},
Condition: iam.Conditions{
"StringLike": map[string]string{"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"},
},
},
{
Effect: iam.EffectAllow,
Resource: iam.Resources{fmt.Sprintf(
Expand Down Expand Up @@ -340,7 +353,7 @@ func (s *Service) ReconcileBootstrapStack(stackName string, accountID string) er
return errors.Wrap(err, "failed to generate AWS CloudFormation YAML")
}

if err := s.createStack(stackName, string(yaml)); err != nil {
if err := s.createStack(stackName, iam.ProcessPolicyDocument(string(yaml))); err != nil {
if code, _ := awserrors.Code(errors.Cause(err)); code == "AlreadyExistsException" {
klog.Infof("AWS Cloudformation stack %q already exists, updating", stackName)
updateErr := s.updateStack(stackName, string(yaml))
Expand Down
23 changes: 17 additions & 6 deletions pkg/cloud/aws/services/iam/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package iam
import (
"encoding/json"
"fmt"
"strings"
)

const (
Expand Down Expand Up @@ -63,7 +64,13 @@ type StatementEntry struct {
Effect string `json:"Effect"`
Action Actions `json:"Action"`
Resource Resources `json:",omitempty"`
Condition Conditions `json:",omitempty"`

// Condition is currently called IAMConditions to pass through
// GoFormation's template processing without being replaced
// with an intrinsic function. If you use a Condition statement,
// run the resultant stringified template through ProcessPolicyDocument
// to change back IAMCondition to Condition.
Condition Conditions `json:"IAMConditions,omitempty"`
}

// Statements is the list of StatementEntries
Expand All @@ -82,22 +89,26 @@ type Resources []string
type PrincipalID []string

// Conditions is the map of all conditions in the statement entry.
type Conditions map[string]ConditionValues

// ConditionValues are a list of condition values in a condition statement
type ConditionValues []string
type Conditions map[string]interface{}

// JSON is the JSON output of the policy document
func (p *PolicyDocument) JSON() (string, error) {
b, err := json.Marshal(&p)
if err != nil {
return "", err
}
return string(b), nil
return ProcessPolicyDocument(string(b)), nil
}

// NewManagedName creates an IAM acceptable name prefixed with this Cluster API
// implementation's prefix.
func NewManagedName(prefix string) string {
return fmt.Sprintf("%s.%s", prefix, IAMSuffix)
}

// ProcessPolicyDocument replaces IAMConditions in serialised StatementEntry
// objects with Condition as per the AWS IAM policy schema as a work-around for
// https://github.com/awslabs/goformation/issues/157
func ProcessPolicyDocument(p string) string {
return strings.Replace(p, "IAMConditions", "Condition", 1)
}