Add crossplane IAM Roles for control plane nodes

Author: fiunchinho

helm/cluster-aws/templates/crossplane-iam-role-control-plane.yaml

@@ -0,0 +1,186 @@
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    assumeRolePolicy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" .Values.awsRegion }}.cn{{- end }}"
+            },
+            "Action": "sts:AssumeRole"
+          }
+        ]
+      }
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicy
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    cluster.x-k8s.io/cluster-name: {{ include "resource.default.name" $ }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-control-plane
+    policy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Action": "elasticloadbalancing:*",
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "autoscaling:DescribeAutoScalingGroups",
+              "autoscaling:DescribeAutoScalingInstances",
+              "autoscaling:DescribeTags",
+              "autoscaling:DescribeLaunchConfigurations",
+              "ec2:DescribeLaunchTemplateVersions"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "ecr:GetAuthorizationToken",
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:GetRepositoryPolicy",
+              "ecr:DescribeRepositories",
+              "ecr:ListImages",
+              "ecr:BatchGetImage"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "ec2:AssignPrivateIpAddresses",
+              "ec2:AttachNetworkInterface",
+              "ec2:CreateNetworkInterface",
+              "ec2:DeleteNetworkInterface",
+              "ec2:DescribeInstances",
+              "ec2:DescribeInstanceTypes",
+              "ec2:DescribeTags",
+              "ec2:DescribeNetworkInterfaces",
+              "ec2:DetachNetworkInterface",
+              "ec2:ModifyNetworkInterfaceAttribute",
+              "ec2:UnassignPrivateIpAddresses"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "autoscaling:DescribeAutoScalingGroups",
+              "autoscaling:DescribeLaunchConfigurations",
+              "autoscaling:DescribeTags",
+              "ec2:DescribeAvailabilityZones",
+              "ec2:DescribeInstances",
+              "ec2:DescribeImages",
+              "ec2:DescribeRegions",
+              "ec2:DescribeRouteTables",
+              "ec2:DescribeSecurityGroups",
+              "ec2:DescribeSubnets",
+              "ec2:DescribeVolumes",
+              "ec2:CreateSecurityGroup",
+              "ec2:CreateTags",
+              "ec2:CreateVolume",
+              "ec2:ModifyInstanceAttribute",
+              "ec2:ModifyVolume",
+              "ec2:AttachVolume",
+              "ec2:DescribeVolumesModifications",
+              "ec2:AuthorizeSecurityGroupIngress",
+              "ec2:CreateRoute",
+              "ec2:DeleteRoute",
+              "ec2:DeleteSecurityGroup",
+              "ec2:DeleteVolume",
+              "ec2:DetachVolume",
+              "ec2:RevokeSecurityGroupIngress",
+              "ec2:DescribeVpcs",
+              "elasticloadbalancing:AddTags",
+              "elasticloadbalancing:AttachLoadBalancerToSubnets",
+              "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+              "elasticloadbalancing:CreateLoadBalancer",
+              "elasticloadbalancing:CreateLoadBalancerPolicy",
+              "elasticloadbalancing:CreateLoadBalancerListeners",
+              "elasticloadbalancing:ConfigureHealthCheck",
+              "elasticloadbalancing:DeleteLoadBalancer",
+              "elasticloadbalancing:DeleteLoadBalancerListeners",
+              "elasticloadbalancing:DescribeLoadBalancers",
+              "elasticloadbalancing:DescribeLoadBalancerAttributes",
+              "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+              "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+              "elasticloadbalancing:ModifyLoadBalancerAttributes",
+              "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+              "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
+              "elasticloadbalancing:AddTags",
+              "elasticloadbalancing:CreateListener",
+              "elasticloadbalancing:CreateTargetGroup",
+              "elasticloadbalancing:DeleteListener",
+              "elasticloadbalancing:DeleteTargetGroup",
+              "elasticloadbalancing:DescribeListeners",
+              "elasticloadbalancing:DescribeLoadBalancerPolicies",
+              "elasticloadbalancing:DescribeTargetGroups",
+              "elasticloadbalancing:DescribeTargetHealth",
+              "elasticloadbalancing:ModifyListener",
+              "elasticloadbalancing:ModifyTargetGroup",
+              "elasticloadbalancing:RegisterTargets",
+              "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+              "iam:CreateServiceLinkedRole",
+              "kms:DescribeKey"
+            ],
+            "Resource": [
+              "*"
+            ],
+            "Effect": "Allow"
+          },
+          {
+            "Action": [
+              "secretsmanager:GetSecretValue",
+              "secretsmanager:DeleteSecret"
+            ],
+            "Resource": "arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*",
+            "Effect": "Allow"
+          }
+        ]
+      }
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: InstanceProfile
+metadata:
+  name: {{ include "resource.default.name" $ }}-control-plane
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    role: {{ include "resource.default.name" $ }}-control-plane
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}

helm/cluster-aws/templates/workers-crossplane-iam-role.yaml renamed to helm/cluster-aws/templates/crossplane-iam-role-worker.yaml

@@ -15,7 +15,7 @@ spec:
           {
             "Effect": "Allow",
             "Principal": {
-              "Service": "ec2.amazonaws.com"
+              "Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" .Values.awsRegion }}.cn{{- end }}"
             },
             "Action": "sts:AssumeRole"
           }