WIP: Fix tests for 7837

kubernetes · Jan 5, 2020 · e90b40d · e90b40d
1 parent b21e345
commit e90b40d
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 35 deletions.
diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json
@@ -1039,7 +1039,10 @@
             }
           ],
           "Version": "2012-10-17"
-        }
+        },
+        "ManagedPolicyArns": [
+          "aws:arn:iam:123456789000:policy:test-policy"
+        ]
       }
     },
     "AWSIAMRolenodescomplexexamplecom": {
@@ -1057,7 +1060,10 @@
             }
           ],
           "Version": "2012-10-17"
-        }
+        },
+        "ManagedPolicyArns": [
+          "aws:arn:iam:123456789000:policy:test-policy"
+        ]
       }
     },
     "AWSRoute53RecordSetapicomplexexamplecom": {

diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf
@@ -267,36 +267,6 @@ resource "aws_iam_role" "nodes-complex-example-com" {
   assume_role_policy = "${file("${path.module}/data/aws_iam_role_nodes.complex.example.com_policy")}"
 }
 
-resource "aws_iam_policy" "role-test-policy" {
-  name        = "role-test-policy"
-  description = "A test policy"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "ec2:Describe*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "nodes-policyoverride" {
-  role       = "${aws_iam_role.nodes-complex-example-com.name}"
-  policy_arn = "${aws_iam_policy.role-test-policy.arn}"
-}
-
-resource "aws_iam_role_policy_attachment" "masters-policyoverride" {
-  role       = "${aws_iam_role.masters-complex-example-com.name}"
-  policy_arn = "${aws_iam_policy.role-test-policy.arn}"
-}
-
 resource "aws_iam_role_policy" "masters-complex-example-com" {
   name   = "masters.complex.example.com"
   role   = "${aws_iam_role.masters-complex-example-com.name}"
@@ -309,6 +279,16 @@ resource "aws_iam_role_policy" "nodes-complex-example-com" {
   policy = "${file("${path.module}/data/aws_iam_role_policy_nodes.complex.example.com_policy")}"
 }
 
+resource "aws_iam_role_policy_attachment" "master-policyoverride" {
+  role       = "${aws_iam_role.masters-complex-example-com.name}"
+  policy_arn = "aws:arn:iam:123456789000:policy:test-policy"
+}
+
+resource "aws_iam_role_policy_attachment" "node-policyoverride" {
+  role       = "${aws_iam_role.nodes-complex-example-com.name}"
+  policy_arn = "aws:arn:iam:123456789000:policy:test-policy"
+}
+
 resource "aws_internet_gateway" "complex-example-com" {
   vpc_id = "${aws_vpc.complex-example-com.id}"
 

diff --git a/upup/pkg/fi/cloudup/awstasks/iamrole.go b/upup/pkg/fi/cloudup/awstasks/iamrole.go
@@ -220,6 +220,7 @@ func (e *IAMRole) TerraformLink() *terraform.Literal {
 type cloudformationIAMRole struct {
 	RoleName                 *string `json:"RoleName"`
 	AssumeRolePolicyDocument map[string]interface{}
+	ManagedPolicyArns []string `json:"ManagedPolicyArns,omitempty"`
 }
 
 func (_ *IAMRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *IAMRole) error {

diff --git a/upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go b/upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go
@@ -274,9 +274,9 @@ func (e *IAMRolePolicy) policyDocumentString() (string, error) {
 }
 
 type terraformIAMRolePolicy struct {
-	Name           *string            `json:"name"`
+	Name           *string            `json:"name,omitempty"`
 	Role           *terraform.Literal `json:"role"`
-	PolicyDocument *terraform.Literal `json:"policy"`
+	PolicyDocument *terraform.Literal `json:"policy,omitempty"`
 	PolicyArn      *string            `json:"policy_arn,omitempty"`
 }
 
@@ -329,7 +329,19 @@ func (_ *IAMRolePolicy) RenderCloudformation(t *cloudformation.CloudformationTar
 	// Currently CloudFormation does not have a reciprocal function to Terraform that allows the modification of a role
 	// after the fact. In order to make this feature complete we would have to intercept the role task and modify it.
 	if e.PolicyOverrides != nil && len(*e.PolicyOverrides) > 0 {
-		return fmt.Errorf("CloudFormation not supported for use with PolicyOverrides.")
+		cfObj, ok := t.Find(e.Role.CloudformationLink())
+		if !ok {
+			// topo-sort fail?
+			return fmt.Errorf("Role not yet rendered")
+		}
+		cf, ok := cfObj.(*cloudformationIAMRole)
+		if !ok {
+			return fmt.Errorf("unexpected type for CF record: %T", cfObj)
+		}
+
+		cf.ManagedPolicyArns = *e.PolicyOverrides
+
+		return nil
 	}
 
 	policyString, err := e.policyDocumentString()