Refactor IAM fields

- add instance profile ARN field - use profile and role ARNs when both are set, or fetch instance role based on profile, otherwise create profile or create both
eksctl-io · Jan 28, 2019 · 8a44ed0 · 8a44ed0
1 parent e9c6d8c
commit 8a44ed0
Show file tree

Hide file tree

Showing 15 changed files with 10,788 additions and 51 deletions.
diff --git a/pkg/apis/eksctl.io/v1alpha4/types.go b/pkg/apis/eksctl.io/v1alpha4/types.go
@@ -280,19 +280,25 @@ func (c *ClusterConfig) AppendAvailabilityZone(newAZ string) {
 // NewNodeGroup creates new nodegroup inside cluster config,
 // it returns pointer to the nodegroup for convenience
 func (c *ClusterConfig) NewNodeGroup() *NodeGroup {
-	securityGroups := &NodeGroupSGs{
-		AttachIDs:  []string{},
-		WithLocal:  NewBoolTrue(),
-		WithShared: NewBoolTrue(),
-	}
 
 	ng := &NodeGroup{
 		PrivateNetworking: false,
-		SecurityGroups:    securityGroups,
-		DesiredCapacity:   DefaultNodeCount,
-		InstanceType:      DefaultNodeType,
-		VolumeSize:        0,
-		VolumeType:        DefaultNodeVolumeType,
+		SecurityGroups: &NodeGroupSGs{
+			AttachIDs:  []string{},
+			WithLocal:  NewBoolTrue(),
+			WithShared: NewBoolTrue(),
+		},
+		DesiredCapacity: DefaultNodeCount,
+		InstanceType:    DefaultNodeType,
+		VolumeSize:      0,
+		VolumeType:      DefaultNodeVolumeType,
+		IAM: &NodeGroupIAM{
+			WithAddonPolicies: NodeGroupIAMAddonPolicies{
+				ImageBuilder: NewBoolFalse(),
+				AutoScaler:   NewBoolFalse(),
+				ExternalDNS:  NewBoolFalse(),
+			},
+		},
 	}
 
 	c.NodeGroups = append(c.NodeGroups, ng)
@@ -348,7 +354,7 @@ type NodeGroup struct {
 	SSHPublicKeyName string `json:"sshPublicKeyName,omitempty"`
 
 	// +optional
-	IAM NodeGroupIAM `json:"iam"`
+	IAM *NodeGroupIAM `json:"iam"`
 }
 
 // SubnetTopology check which topology is used for the subnet of
@@ -382,6 +388,8 @@ type (
 		// +optional
 		AttachPolicyARNs []string `json:"attachPolicyARNs,omitempty"`
 		// +optional
+		InstanceProfileARN string `json:"instanceProfileARN,omitempty"`
+		// +optional
 		InstanceRoleARN string `json:"instanceRoleARN,omitempty"`
 		// +optional
 		InstanceRoleName string `json:"instanceRoleName,omitempty"`

diff --git a/pkg/apis/eksctl.io/v1alpha4/validation.go b/pkg/apis/eksctl.io/v1alpha4/validation.go
@@ -11,23 +11,37 @@ func ValidateNodeGroup(i int, ng *NodeGroup) error {
 		return fmt.Errorf("%s.name must be set", path)
 	}
 
-	if ng.IAM.InstanceRoleARN != "" {
-		p := fmt.Sprintf("%s.iam.instanceRoleARN and %s.iam", path, path)
-		if ng.IAM.InstanceRoleName != "" {
-			return fmt.Errorf("%s.instanceRoleName cannot be set at the same time", p)
-		}
-		if len(ng.IAM.AttachPolicyARNs) != 0 {
-			return fmt.Errorf("%s.attachPolicyARNs cannot be set at the same time", p)
-		}
-		if v := ng.IAM.WithAddonPolicies.AutoScaler; v != nil && *v {
-			return fmt.Errorf("%s.withAddonPolicies.autoScaler cannot be set at the same time", p)
-		}
-		if v := ng.IAM.WithAddonPolicies.ExternalDNS; v != nil && *v {
-			return fmt.Errorf("%s.withAddonPolicies.externalDNS cannot be set at the same time", p)
-		}
-		if v := ng.IAM.WithAddonPolicies.ImageBuilder; v != nil && *v {
-			return fmt.Errorf("%s.imageBuilder cannot be set at the same time", p)
+	if ng.IAM == nil {
+		return nil
+	}
+
+	validate := func(value, fieldName string) error {
+		if value != "" {
+			p := fmt.Sprintf("%s.iam.%s and %s.iam", path, fieldName, path)
+			if ng.IAM.InstanceRoleName != "" {
+				return fmt.Errorf("%s.instanceRoleName cannot be set at the same time", p)
+			}
+			if len(ng.IAM.AttachPolicyARNs) != 0 {
+				return fmt.Errorf("%s.attachPolicyARNs cannot be set at the same time", p)
+			}
+			if v := ng.IAM.WithAddonPolicies.AutoScaler; v != nil && *v {
+				return fmt.Errorf("%s.withAddonPolicies.autoScaler cannot be set at the same time", p)
+			}
+			if v := ng.IAM.WithAddonPolicies.ExternalDNS; v != nil && *v {
+				return fmt.Errorf("%s.withAddonPolicies.externalDNS cannot be set at the same time", p)
+			}
+			if v := ng.IAM.WithAddonPolicies.ImageBuilder; v != nil && *v {
+				return fmt.Errorf("%s.imageBuilder cannot be set at the same time", p)
+			}
 		}
+		return nil
+	}
+
+	if err := validate(ng.IAM.InstanceProfileARN, "instanceProfileARN"); err != nil {
+		return err
+	}
+	if err := validate(ng.IAM.InstanceRoleARN, "instanceRoleARN"); err != nil {
+		return err
 	}
 
 	return nil

diff --git a/pkg/apis/eksctl.io/v1alpha4/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha4/zz_generated.deepcopy.go
diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -311,6 +311,13 @@ var _ = Describe("CloudFormation template builder API", func() {
 					DesiredCapacity: 2,
 					VolumeSize:      2,
 					VolumeType:      api.NodeVolumeTypeIO1,
+					IAM: &api.NodeGroupIAM{
+						WithAddonPolicies: api.NodeGroupIAMAddonPolicies{
+							ImageBuilder: api.NewBoolFalse(),
+							AutoScaler:   api.NewBoolFalse(),
+							ExternalDNS:  api.NewBoolFalse(),
+						},
+					},
 				},
 			},
 		}
@@ -367,7 +374,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 	Describe("AutoNameTag", func() {
 		cfg, ng := newClusterConfigAndNodegroup()
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-123-cluster", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-123-cluster", ng)
 
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
@@ -410,7 +417,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 		ng.InstanceType = "t2.medium"
 		ng.Name = "ng-abcd1234"
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-123-cluster", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-123-cluster", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())
@@ -443,7 +450,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 
 		ng.IAM.WithAddonPolicies.AutoScaler = api.NewBoolTrue()
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-123-cluster", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-123-cluster", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())
@@ -516,7 +523,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 		ng.PrivateNetworking = true
 		ng.AMIFamily = "AmazonLinux2"
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-private-ng", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-private-ng", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())
@@ -573,7 +580,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 		ng.PrivateNetworking = false
 		ng.AMIFamily = "AmazonLinux2"
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-public-ng", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-public-ng", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())
@@ -669,7 +676,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 			Expect(ng.AvailabilityZones).To(Equal([]string{"us-west-2a"}))
 		})
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-public-ng", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-public-ng", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())
@@ -750,7 +757,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 
 		cfg.NodeGroups[0].InstanceType = "m5.large"
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-123-cluster", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-123-cluster", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())
@@ -815,7 +822,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 		cfg.NodeGroups[0].AMIFamily = "Ubuntu1804"
 		cfg.NodeGroups[0].InstanceType = "m5.large"
 
-		rs := NewNodeGroupResourceSet(cfg, "eksctl-test-123-cluster", ng)
+		rs := NewNodeGroupResourceSet(p, cfg, "eksctl-test-123-cluster", ng)
 		err := rs.AddAllResources()
 		It("should add all resources without errors", func() {
 			Expect(err).ShouldNot(HaveOccurred())

diff --git a/pkg/cfn/builder/cluster.go b/pkg/cfn/builder/cluster.go
@@ -35,12 +35,6 @@ func NewClusterResourceSet(provider api.ClusterProvider, spec *api.ClusterConfig
 func (c *ClusterResourceSet) AddAllResources() error {
 	dedicatedVPC := c.spec.VPC.ID == ""
 
-	c.rs.template.Description = fmt.Sprintf(
-		"%s (dedicated VPC: %v, dedicated IAM: %v) %s",
-		clusterTemplateDescription,
-		dedicatedVPC, true,
-		templateDescriptionSuffix)
-
 	if err := c.spec.HasSufficientSubnets(); err != nil {
 		return err
 	}
@@ -64,6 +58,12 @@ func (c *ClusterResourceSet) AddAllResources() error {
 		return nil
 	})
 
+	c.rs.template.Description = fmt.Sprintf(
+		"%s (dedicated VPC: %v, dedicated IAM: %v) %s",
+		clusterTemplateDescription,
+		dedicatedVPC, c.rs.withIAM,
+		templateDescriptionSuffix)
+
 	return nil
 }