-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
iam.go
60 lines (51 loc) · 1.76 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
package iam
import (
"context"
"fmt"
"strings"
"github.com/aws/aws-sdk-go-v2/service/cloudformation/types"
awsiam "github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/kris-nova/logger"
"github.com/pkg/errors"
api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
"github.com/weaveworks/eksctl/pkg/awsapi"
"github.com/weaveworks/eksctl/pkg/cfn/outputs"
)
// ImportInstanceRoleFromProfileARN fetches first role ARN from instance profile.
func ImportInstanceRoleFromProfileARN(ctx context.Context, iamAPI awsapi.IAM, ng *api.NodeGroup, profileARN string) error {
partsOfProfileARN := strings.Split(profileARN, "/")
if len(partsOfProfileARN) != 2 {
return fmt.Errorf("unexpected format of instance profile ARN: %q", profileARN)
}
profileName := partsOfProfileARN[1]
input := &awsiam.GetInstanceProfileInput{
InstanceProfileName: &profileName,
}
output, err := iamAPI.GetInstanceProfile(ctx, input)
if err != nil {
return errors.Wrap(err, "importing instance role ARN")
}
roles := output.InstanceProfile.Roles
if len(roles) == 0 {
return fmt.Errorf("instance profile %q has no roles", profileName)
}
if len(roles) > 1 {
logger.Debug("instance profile %q has %d roles, only first role will be used (%#v)", profileName, roles)
}
ng.IAM.InstanceRoleARN = *output.InstanceProfile.Roles[0].Arn
return nil
}
// UseFromNodeGroup retrieves the IAM configuration from an existing nodegroup
// based on stack outputs
func UseFromNodeGroup(stack *types.Stack, ng *api.NodeGroup) error {
if ng.IAM == nil {
ng.IAM = &api.NodeGroupIAM{}
}
requiredCollectors := map[string]outputs.Collector{
outputs.NodeGroupInstanceRoleARN: func(v string) error {
ng.IAM.InstanceRoleARN = v
return nil
},
}
return outputs.Collect(*stack, requiredCollectors, nil)
}