fix test and updates docs

ryan-dyer · ryan-dyer · commit 34160bac12c1 · 2023-05-24T15:14:33.000Z
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml
@@ -173,6 +173,7 @@ Resources:
           - ec2:DescribeAddresses
           - ec2:DescribeAvailabilityZones
           - ec2:DescribeInstances
+          - ec2:DescribeInstanceTypes
           - ec2:DescribeInternetGateways
           - ec2:DescribeEgressOnlyInternetGateways
           - ec2:DescribeInstanceTypes
@@ -205,6 +206,7 @@ Resources:
           - elasticloadbalancing:DeleteTargetGroup
           - elasticloadbalancing:DescribeLoadBalancers
           - elasticloadbalancing:DescribeLoadBalancerAttributes
+          - elasticloadbalancing:DescribeTargetGroups
           - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
           - elasticloadbalancing:DescribeTags
           - elasticloadbalancing:ModifyLoadBalancerAttributes
diff --git a/docs/book/src/topics/multitenancy.md b/docs/book/src/topics/multitenancy.md
@@ -213,6 +213,9 @@ There are multiple AWS assume role permissions that need to be configured in ord
   }
   ```
 
+Both of these permissions can be enabled via clusterawsadm as documented [here](using-clusterawsadm-to-fulfill-prerequisites.md#cross-account-role-assumption).
+
+
 ### Examples
 
 This is a deployable example which uses the `AWSClusterRoleIdentity` "test-account-role" to assume into the `arn:aws:iam::123456789:role/CAPARole` role in the target account.
diff --git a/docs/book/src/topics/using-clusterawsadm-to-fulfill-prerequisites.md b/docs/book/src/topics/using-clusterawsadm-to-fulfill-prerequisites.md
@@ -106,6 +106,36 @@ spec:
   ...
 ```
 
+#### Cross Account Role Assumption
+
+CAPA, by default, does not provide the necessary permissions to allow cross-account role assumption, which can be used to manage clusters in other environments. This is documented [here](multitenancy.md#necessary-permissions-for-assuming-a-role). The 'sts:AssumeRole' permissions can be added via the following configuration on the manager account configuration:
+
+```yaml
+apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
+kind: AWSIAMConfiguration
+spec:
+  ...
+  allowAssumeRole: true
+  ...
+```
+
+The above will give the controller to have the necessary permissions needed in order for it to manage clusters in other accounts using the AWSClusterRoleIdentity. Please note, the above should only be applied to the account where CAPA is running. To allow CAPA to assume the roles in the managed/target accounts, the following configuration needs to be used:
+```yaml
+apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
+kind: AWSIAMConfiguration
+spec:
+  ...
+  clusterAPIControllers:
+    disabled: false
+    trustStatements:
+    - Action:
+      - "sts:AssumeRole"
+      Effect: "Allow"
+      Principal:
+        AWS:
+        - "arn:aws:iam::<manager account>:role/controllers.cluster-api-provider-aws.sigs.k8s.io"
+  ...
+```
 
 
 ### Without `clusterawsadm`

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,9 @@ There are multiple AWS assume role permissions that need to be configured in ord`
`213`	`213`	`}`
`214`	`214`	```
`215`	`215`
	`216`	`+Both of these permissions can be enabled via clusterawsadm as documented [here](using-clusterawsadm-to-fulfill-prerequisites.md#cross-account-role-assumption).`
	`217`	`+`
	`218`	`+`
`216`	`219`	`### Examples`
`217`	`220`
`218`	`221`	This is a deployable example which uses the `AWSClusterRoleIdentity` "test-account-role" to assume into the `arn:aws:iam::123456789:role/CAPARole` role in the target account.