aws: move permission list generation to its own function.

r4f4 · r4f4 · commit 5aa4840f54e5 · 2024-07-11T14:44:55.000+02:00
This will allow for it to be reused without code duplication and for it
to be unit tested.
diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	ccaws "github.com/openshift/cloud-credential-operator/pkg/aws"
 	"github.com/openshift/installer/pkg/types"
@@ -293,14 +294,9 @@ var permissions = map[PermissionGroup][]string{
 // as either capable of creating new credentials for components that interact with the cloud or
 // being able to be passed through as-is to the components that need cloud credentials
 func ValidateCreds(ssn *session.Session, groups []PermissionGroup, region string) error {
-	// Compile a list of permissions based on the permission groups provided
-	requiredPermissions := []string{}
-	for _, group := range groups {
-		groupPerms, ok := permissions[group]
-		if !ok {
-			return fmt.Errorf("unable to access permissions group %s", group)
-		}
-		requiredPermissions = append(requiredPermissions, groupPerms...)
+	requiredPermissions, err := PermissionsList(groups)
+	if err != nil {
+		return err
 	}
 
 	client := ccaws.NewClientFromSession(ssn)
@@ -341,8 +337,85 @@ func ValidateCreds(ssn *session.Session, groups []PermissionGroup, region string
 	return errors.New("AWS credentials cannot be used to either create new creds or use as-is")
 }
 
-// IncludesExistingInstanceRole checks if at least one BYO instance role is included in the install-config.
-func IncludesExistingInstanceRole(installConfig *types.InstallConfig) bool {
+// RequiredPermissionGroups returns a set of required permissions for a given cluster configuration.
+func RequiredPermissionGroups(ic *types.InstallConfig) []PermissionGroup {
+	permissionGroups := []PermissionGroup{PermissionCreateBase}
+	usingExistingVPC := len(ic.AWS.Subnets) != 0
+	usingExistingPrivateZone := len(ic.AWS.HostedZone) != 0
+
+	if !usingExistingVPC {
+		permissionGroups = append(permissionGroups, PermissionCreateNetworking)
+	}
+
+	if !usingExistingPrivateZone {
+		permissionGroups = append(permissionGroups, PermissionCreateHostedZone)
+	}
+
+	ec2RootVolume := aws.EC2RootVolume{}
+	var awsMachinePoolUsingKMS, masterMachinePoolUsingKMS bool
+	if ic.AWS.DefaultMachinePlatform != nil && ic.AWS.DefaultMachinePlatform.EC2RootVolume != ec2RootVolume {
+		awsMachinePoolUsingKMS = len(ic.AWS.DefaultMachinePlatform.EC2RootVolume.KMSKeyARN) != 0
+	}
+	if ic.ControlPlane != nil &&
+		ic.ControlPlane.Name == types.MachinePoolControlPlaneRoleName &&
+		ic.ControlPlane.Platform.AWS != nil &&
+		ic.ControlPlane.Platform.AWS.EC2RootVolume != ec2RootVolume {
+		masterMachinePoolUsingKMS = len(ic.ControlPlane.Platform.AWS.EC2RootVolume.KMSKeyARN) != 0
+	}
+	// Add KMS encryption keys, if provided.
+	if awsMachinePoolUsingKMS || masterMachinePoolUsingKMS {
+		logrus.Debugf("Adding %s to the group of permissions", PermissionKMSEncryptionKeys)
+		permissionGroups = append(permissionGroups, PermissionKMSEncryptionKeys)
+	}
+
+	// Add delete permissions for non-C2S installs.
+	if !aws.IsSecretRegion(ic.AWS.Region) {
+		permissionGroups = append(permissionGroups, PermissionDeleteBase)
+		if usingExistingVPC {
+			permissionGroups = append(permissionGroups, PermissionDeleteSharedNetworking)
+		} else {
+			permissionGroups = append(permissionGroups, PermissionDeleteNetworking)
+		}
+		if !usingExistingPrivateZone {
+			permissionGroups = append(permissionGroups, PermissionDeleteHostedZone)
+		}
+	}
+
+	if ic.AWS.PublicIpv4Pool != "" {
+		permissionGroups = append(permissionGroups, PermissionPublicIpv4Pool)
+	}
+
+	if !ic.AWS.BestEffortDeleteIgnition {
+		permissionGroups = append(permissionGroups, PermissionDeleteIgnitionObjects)
+	}
+
+	if includesCreateInstanceRole(ic) {
+		permissionGroups = append(permissionGroups, PermissionCreateInstanceRole)
+	}
+
+	if includesExistingInstanceRole(ic) {
+		permissionGroups = append(permissionGroups, PermissionDeleteSharedInstanceRole)
+	}
+
+	return permissionGroups
+}
+
+// PermissionsList compiles a list of permissions based on the permission groups provided.
+func PermissionsList(required []PermissionGroup) ([]string, error) {
+	requiredPermissions := sets.New[string]()
+	for _, group := range required {
+		groupPerms, ok := permissions[group]
+		if !ok {
+			return nil, fmt.Errorf("unable to access permissions group %s", group)
+		}
+		requiredPermissions.Insert(groupPerms...)
+	}
+
+	return sets.List(requiredPermissions), nil
+}
+
+// includesExistingInstanceRole checks if at least one BYO instance role is included in the install-config.
+func includesExistingInstanceRole(installConfig *types.InstallConfig) bool {
 	mpool := aws.MachinePool{}
 	mpool.Set(installConfig.AWS.DefaultMachinePlatform)
 
@@ -357,8 +430,8 @@ func IncludesExistingInstanceRole(installConfig *types.InstallConfig) bool {
 	return len(mpool.IAMRole) > 0
 }
 
-// IncludesCreateInstanceRole checks if at least one instance role will be created by the installer.
-func IncludesCreateInstanceRole(installConfig *types.InstallConfig) bool {
+// includesCreateInstanceRole checks if at least one instance role will be created by the installer.
+func includesCreateInstanceRole(installConfig *types.InstallConfig) bool {
 	{
 		mpool := aws.MachinePool{}
 		mpool.Set(installConfig.AWS.DefaultMachinePlatform)
diff --git a/pkg/asset/installconfig/platformpermscheck.go b/pkg/asset/installconfig/platformpermscheck.go
@@ -10,7 +10,6 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	awsconfig "github.com/openshift/installer/pkg/asset/installconfig/aws"
 	gcpconfig "github.com/openshift/installer/pkg/asset/installconfig/gcp"
-	"github.com/openshift/installer/pkg/types"
 	"github.com/openshift/installer/pkg/types/aws"
 	"github.com/openshift/installer/pkg/types/azure"
 	"github.com/openshift/installer/pkg/types/baremetal"
@@ -54,63 +53,7 @@ func (a *PlatformPermsCheck) Generate(ctx context.Context, dependencies asset.Pa
 	platform := ic.Config.Platform.Name()
 	switch platform {
 	case aws.Name:
-		permissionGroups := []awsconfig.PermissionGroup{awsconfig.PermissionCreateBase}
-		usingExistingVPC := len(ic.Config.AWS.Subnets) != 0
-		usingExistingPrivateZone := len(ic.Config.AWS.HostedZone) != 0
-
-		if !usingExistingVPC {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionCreateNetworking)
-		}
-
-		if !usingExistingPrivateZone {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionCreateHostedZone)
-		}
-
-		var ec2RootVolume = aws.EC2RootVolume{}
-		var awsMachinePoolUsingKMS, masterMachinePoolUsingKMS bool
-		if ic.Config.AWS.DefaultMachinePlatform != nil && ic.Config.AWS.DefaultMachinePlatform.EC2RootVolume != ec2RootVolume {
-			awsMachinePoolUsingKMS = len(ic.Config.AWS.DefaultMachinePlatform.EC2RootVolume.KMSKeyARN) != 0
-		}
-		if ic.Config.ControlPlane != nil &&
-			ic.Config.ControlPlane.Name == types.MachinePoolControlPlaneRoleName &&
-			ic.Config.ControlPlane.Platform.AWS != nil &&
-			ic.Config.ControlPlane.Platform.AWS.EC2RootVolume != ec2RootVolume {
-			masterMachinePoolUsingKMS = len(ic.Config.ControlPlane.Platform.AWS.EC2RootVolume.KMSKeyARN) != 0
-		}
-		// Add KMS encryption keys, if provided.
-		if awsMachinePoolUsingKMS || masterMachinePoolUsingKMS {
-			logrus.Debugf("Adding %s to the group of permissions to validate", awsconfig.PermissionKMSEncryptionKeys)
-			permissionGroups = append(permissionGroups, awsconfig.PermissionKMSEncryptionKeys)
-		}
-
-		// Add delete permissions for non-C2S installs.
-		if !aws.IsSecretRegion(ic.Config.AWS.Region) {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteBase)
-			if usingExistingVPC {
-				permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteSharedNetworking)
-			} else {
-				permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteNetworking)
-			}
-			if !usingExistingPrivateZone {
-				permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteHostedZone)
-			}
-		}
-
-		if ic.Config.AWS.PublicIpv4Pool != "" {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionPublicIpv4Pool)
-		}
-
-		if !ic.Config.AWS.BestEffortDeleteIgnition {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteIgnitionObjects)
-		}
-
-		if awsconfig.IncludesCreateInstanceRole(ic.Config) {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionCreateInstanceRole)
-		}
-
-		if awsconfig.IncludesExistingInstanceRole(ic.Config) {
-			permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteSharedInstanceRole)
-		}
+		permissionGroups := awsconfig.RequiredPermissionGroups(ic.Config)
 
 		ssn, err := ic.AWS.Session(ctx)
 		if err != nil {
