aws/capi: IAM: add BYO support & user tags

Adds support for users to bring their own IAM roles.

Adds support to tag IAM resources with user tags.

Author: patrickdillon

pkg/infrastructure/aws/clusterapi/aws.go

@@ -17,8 +17,9 @@ type Provider struct{}
 // Name gives the name of the provider, AWS.
 func (*Provider) Name() string { return awstypes.Name }
 
+// PreProvision creates the IAM roles used by all nodes in the cluster.
 func (*Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionInput) error {
-	if err := putIAMRoles(ctx, in.InfraID, in.InstallConfig); err != nil {
+	if err := createIAMRoles(ctx, in.InfraID, in.InstallConfig); err != nil {
 		return fmt.Errorf("failed to create IAM roles: %w", err)
 	}
 	return nil

pkg/infrastructure/aws/clusterapi/iam.go

@@ -16,9 +16,14 @@ import (
 	"github.com/openshift/installer/pkg/asset/installconfig"
 )
 
+const (
+	master = "master"
+	worker = "worker"
+)
+
 var (
 	policies = map[string]*iamv1.PolicyDocument{
-		"master": {
+		master: {
 			Version: "2012-10-17",
 			Statement: []iamv1.StatementEntry{
 				{
@@ -69,7 +74,7 @@ var (
 				},
 			},
 		},
-		"worker": {
+		worker: {
 			Version: "2012-10-17",
 			Statement: []iamv1.StatementEntry{
 				{
@@ -85,8 +90,8 @@ var (
 	}
 )
 
-// putIAMRoles creates the roles used by control-plane and compute nodes.
-func putIAMRoles(ctx context.Context, clusterID string, ic *installconfig.InstallConfig) error {
+// createIAMRoles creates the roles used by control-plane and compute nodes.
+func createIAMRoles(ctx context.Context, infraID string, ic *installconfig.InstallConfig) error {
 	logrus.Infoln("Creating IAM roles for control-plane and compute nodes")
 	// Create the IAM Role with the aws sdk.
 	// https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#IAM.CreateRole
@@ -97,9 +102,18 @@ func putIAMRoles(ctx context.Context, clusterID string, ic *installconfig.Instal
 	svc := iam.New(session)
 
 	// Create the IAM Roles for master and workers.
-	clusterOwnedIAMTag := &iam.Tag{
-		Key:   aws.String(fmt.Sprintf("kubernetes.io/cluster/%s", clusterID)),
-		Value: aws.String("owned"),
+	tags := []*iam.Tag{
+		{
+			Key:   aws.String(fmt.Sprintf("kubernetes.io/cluster/%s", infraID)),
+			Value: aws.String("owned"),
+		},
+	}
+
+	for k, v := range ic.Config.AWS.UserTags {
+		tags = append(tags, &iam.Tag{
+			Key:   aws.String(k),
+			Value: aws.String(v),
+		})
 	}
 
 	assumePolicy := &iamv1.PolicyDocument{
@@ -123,43 +137,27 @@ func putIAMRoles(ctx context.Context, clusterID string, ic *installconfig.Instal
 		return fmt.Errorf("failed to marshal assume policy: %w", err)
 	}
 
-	for _, role := range []string{"master", "worker"} {
-		roleName := aws.String(fmt.Sprintf("%s-%s-role", clusterID, role))
-		if _, err := svc.GetRoleWithContext(ctx, &iam.GetRoleInput{RoleName: roleName}); err != nil {
-			var awsErr awserr.Error
-			if errors.As(err, &awsErr) && awsErr.Code() != iam.ErrCodeNoSuchEntityException {
-				return fmt.Errorf("failed to get %s role: %w", role, err)
-			}
-			// If the role does not exist, create it.
-			createRoleInput := &iam.CreateRoleInput{
-				RoleName:                 roleName,
-				AssumeRolePolicyDocument: aws.String(string(assumePolicyBytes)),
-				Tags:                     []*iam.Tag{clusterOwnedIAMTag},
-			}
-			if _, err := svc.CreateRoleWithContext(ctx, createRoleInput); err != nil {
-				return fmt.Errorf("failed to create %s role: %w", role, err)
-			}
-
-			if err := svc.WaitUntilRoleExistsWithContext(ctx, &iam.GetRoleInput{RoleName: roleName}); err != nil {
-				return fmt.Errorf("failed to wait for %s role to exist: %w", role, err)
-			}
+	for _, role := range []string{master, worker} {
+		roleName, err := getOrCreateIAMRole(ctx, role, infraID, string(assumePolicyBytes), *ic, tags, svc)
+		if err != nil {
+			return fmt.Errorf("failed to create IAM roles: %w", err)
 		}
 
 		// Put the policy inline.
-		policyName := aws.String(fmt.Sprintf("%s-%s-policy", clusterID, role))
+		policyName := aws.String(fmt.Sprintf("%s-%s-policy", infraID, role))
 		b, err := json.Marshal(policies[role])
 		if err != nil {
 			return fmt.Errorf("failed to marshal %s policy: %w", role, err)
 		}
 		if _, err := svc.PutRolePolicyWithContext(ctx, &iam.PutRolePolicyInput{
 			PolicyDocument: aws.String(string(b)),
 			PolicyName:     policyName,
-			RoleName:       roleName,
+			RoleName:       aws.String(roleName),
 		}); err != nil {
 			return fmt.Errorf("failed to create inline policy for role %s: %w", role, err)
 		}
 
-		profileName := aws.String(fmt.Sprintf("%s-%s-profile", clusterID, role))
+		profileName := aws.String(fmt.Sprintf("%s-%s-profile", infraID, role))
 		if _, err := svc.GetInstanceProfileWithContext(ctx, &iam.GetInstanceProfileInput{InstanceProfileName: profileName}); err != nil {
 			var awsErr awserr.Error
 			if errors.As(err, &awsErr) && awsErr.Code() != iam.ErrCodeNoSuchEntityException {
@@ -168,7 +166,7 @@ func putIAMRoles(ctx context.Context, clusterID string, ic *installconfig.Instal
 			// If the profile does not exist, create it.
 			if _, err := svc.CreateInstanceProfileWithContext(ctx, &iam.CreateInstanceProfileInput{
 				InstanceProfileName: profileName,
-				Tags:                []*iam.Tag{clusterOwnedIAMTag},
+				Tags:                tags,
 			}); err != nil {
 				return fmt.Errorf("failed to create %s instance profile: %w", role, err)
 			}
@@ -179,7 +177,7 @@ func putIAMRoles(ctx context.Context, clusterID string, ic *installconfig.Instal
 			// Finally, attach the role to the profile.
 			if _, err := svc.AddRoleToInstanceProfileWithContext(ctx, &iam.AddRoleToInstanceProfileInput{
 				InstanceProfileName: profileName,
-				RoleName:            roleName,
+				RoleName:            aws.String(roleName),
 			}); err != nil {
 				return fmt.Errorf("failed to add %s role to instance profile: %w", role, err)
 			}
@@ -189,6 +187,55 @@ func putIAMRoles(ctx context.Context, clusterID string, ic *installconfig.Instal
 	return nil
 }
 
+// getOrCreateRole returns the name of the IAM role to be used,
+// creating it when not specified by the user in the install config.
+func getOrCreateIAMRole(ctx context.Context, nodeRole, infraID, assumePolicy string, ic installconfig.InstallConfig, tags []*iam.Tag, svc *iam.IAM) (string, error) {
+	roleName := aws.String(fmt.Sprintf("%s-%s-role", infraID, nodeRole))
+
+	var defaultRole string
+	if dmp := ic.Config.AWS.DefaultMachinePlatform; dmp != nil && len(dmp.IAMRole) > 0 {
+		defaultRole = dmp.IAMRole
+	}
+
+	masterRole := defaultRole
+	if cp := ic.Config.ControlPlane; cp != nil && cp.Platform.AWS != nil && len(cp.Platform.AWS.IAMRole) > 0 {
+		masterRole = cp.Platform.AWS.IAMRole
+	}
+
+	workerRole := defaultRole
+	if w := ic.Config.Compute; len(w) > 0 && w[0].Platform.AWS != nil && len(w[0].Platform.AWS.IAMRole) > 0 {
+		workerRole = w[0].Platform.AWS.IAMRole
+	}
+
+	switch {
+	case nodeRole == master && len(masterRole) > 0:
+		return masterRole, nil
+	case nodeRole == worker && len(workerRole) > 0:
+		return workerRole, nil
+	}
+
+	if _, err := svc.GetRoleWithContext(ctx, &iam.GetRoleInput{RoleName: roleName}); err != nil {
+		var awsErr awserr.Error
+		if errors.As(err, &awsErr) && awsErr.Code() != iam.ErrCodeNoSuchEntityException {
+			return "", fmt.Errorf("failed to get %s role: %w", nodeRole, err)
+		}
+		// If the role does not exist, create it.
+		createRoleInput := &iam.CreateRoleInput{
+			RoleName:                 roleName,
+			AssumeRolePolicyDocument: aws.String(assumePolicy),
+			Tags:                     tags,
+		}
+		if _, err := svc.CreateRoleWithContext(ctx, createRoleInput); err != nil {
+			return "", fmt.Errorf("failed to create %s role: %w", nodeRole, err)
+		}
+
+		if err := svc.WaitUntilRoleExistsWithContext(ctx, &iam.GetRoleInput{RoleName: roleName}); err != nil {
+			return "", fmt.Errorf("failed to wait for %s role to exist: %w", nodeRole, err)
+		}
+	}
+	return *roleName, nil
+}
+
 func getPartitionService(region string) string {
 	partitionDNSSuffix := "amazonaws.com"
 	if ps, found := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), region); found {