Merge pull request openshift#7871 from r4f4/aws-altinfra-c2s

openshift-merge-bot[bot] · web-flow · commit 61f329f18cfb · 2024-03-23T01:33:59.000Z
OCPBUGS-26052: aws: altinfra: fix role creation in C2S
diff --git a/pkg/infrastructure/aws/aws.go b/pkg/infrastructure/aws/aws.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
@@ -196,29 +197,36 @@ func (a InfraProvider) Provision(dir string, parents asset.Parents) ([]*asset.Fi
 		return nil, fmt.Errorf("failed to create security groups: %w", err)
 	}
 
+	partitionDNSSuffix := "amazonaws.com"
+	if ps, found := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), clusterAWSConfig.Region); found {
+		partitionDNSSuffix = ps.DNSSuffix()
+	}
+	logger.Debugf("Using partition DNS suffix: %s", partitionDNSSuffix)
+
 	logger.Infoln("Creating bootstrap resources")
 	bootstrapSubnet := vpcOutput.privateSubnetIDs[0]
 	if usePublicEndpoints {
 		bootstrapSubnet = vpcOutput.publicSubnetIDs[0]
 	}
 	bootstrapInput := bootstrapInputOptions{
 		instanceInputOptions: instanceInputOptions{
-			infraID:           clusterConfig.ClusterID,
-			amiID:             amiID,
-			instanceType:      clusterAWSConfig.MasterInstanceType,
-			iamRole:           clusterAWSConfig.MasterIAMRoleName,
-			volumeType:        "gp2",
-			volumeSize:        30,
-			volumeIOPS:        0,
-			isEncrypted:       true,
-			metadataAuth:      clusterAWSConfig.BootstrapMetadataAuthentication,
-			kmsKeyID:          clusterAWSConfig.KMSKeyID,
-			securityGroupIds:  []string{sgOutput.bootstrap, sgOutput.controlPlane},
-			targetGroupARNs:   lbOutput.targetGroupArns,
-			subnetID:          bootstrapSubnet,
-			associatePublicIP: usePublicEndpoints,
-			userData:          clusterAWSConfig.BootstrapIgnitionStub,
-			tags:              tags,
+			infraID:            clusterConfig.ClusterID,
+			amiID:              amiID,
+			instanceType:       clusterAWSConfig.MasterInstanceType,
+			iamRole:            clusterAWSConfig.MasterIAMRoleName,
+			volumeType:         "gp2",
+			volumeSize:         30,
+			volumeIOPS:         0,
+			isEncrypted:        true,
+			metadataAuth:       clusterAWSConfig.BootstrapMetadataAuthentication,
+			kmsKeyID:           clusterAWSConfig.KMSKeyID,
+			securityGroupIds:   []string{sgOutput.bootstrap, sgOutput.controlPlane},
+			targetGroupARNs:    lbOutput.targetGroupArns,
+			subnetID:           bootstrapSubnet,
+			associatePublicIP:  usePublicEndpoints,
+			userData:           clusterAWSConfig.BootstrapIgnitionStub,
+			partitionDNSSuffix: partitionDNSSuffix,
+			tags:               tags,
 		},
 		ignitionBucket:  clusterAWSConfig.IgnitionBucket,
 		ignitionContent: clusterConfig.IgnitionBootstrap,
@@ -233,21 +241,22 @@ func (a InfraProvider) Provision(dir string, parents asset.Parents) ([]*asset.Fi
 	logger.Infoln("Creating control plane resources")
 	controlPlaneInput := controlPlaneInputOptions{
 		instanceInputOptions: instanceInputOptions{
-			infraID:           clusterConfig.ClusterID,
-			amiID:             amiID,
-			instanceType:      clusterAWSConfig.MasterInstanceType,
-			iamRole:           clusterAWSConfig.MasterIAMRoleName,
-			volumeType:        clusterAWSConfig.Type,
-			volumeSize:        clusterAWSConfig.Size,
-			volumeIOPS:        clusterAWSConfig.IOPS,
-			isEncrypted:       clusterAWSConfig.Encrypted,
-			kmsKeyID:          clusterAWSConfig.KMSKeyID,
-			metadataAuth:      clusterAWSConfig.MasterMetadataAuthentication,
-			securityGroupIds:  append(clusterAWSConfig.MasterSecurityGroups, sgOutput.controlPlane),
-			targetGroupARNs:   lbOutput.targetGroupArns,
-			associatePublicIP: len(os.Getenv("OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY")) > 0,
-			userData:          clusterConfig.IgnitionMaster,
-			tags:              tags,
+			infraID:            clusterConfig.ClusterID,
+			amiID:              amiID,
+			instanceType:       clusterAWSConfig.MasterInstanceType,
+			iamRole:            clusterAWSConfig.MasterIAMRoleName,
+			volumeType:         clusterAWSConfig.Type,
+			volumeSize:         clusterAWSConfig.Size,
+			volumeIOPS:         clusterAWSConfig.IOPS,
+			isEncrypted:        clusterAWSConfig.Encrypted,
+			kmsKeyID:           clusterAWSConfig.KMSKeyID,
+			metadataAuth:       clusterAWSConfig.MasterMetadataAuthentication,
+			securityGroupIds:   append(clusterAWSConfig.MasterSecurityGroups, sgOutput.controlPlane),
+			targetGroupARNs:    lbOutput.targetGroupArns,
+			associatePublicIP:  len(os.Getenv("OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY")) > 0,
+			userData:           clusterConfig.IgnitionMaster,
+			partitionDNSSuffix: partitionDNSSuffix,
+			tags:               tags,
 		},
 		nReplicas:         clusterConfig.Masters,
 		privateSubnetIDs:  vpcOutput.privateSubnetIDs,
@@ -261,8 +270,9 @@ func (a InfraProvider) Provision(dir string, parents asset.Parents) ([]*asset.Fi
 
 	logger.Infoln("Creating compute resources")
 	computeInput := computeInputOptions{
-		infraID: clusterConfig.ClusterID,
-		tags:    tags,
+		infraID:            clusterConfig.ClusterID,
+		partitionDNSSuffix: partitionDNSSuffix,
+		tags:               tags,
 	}
 	err = createComputeResources(ctx, logger, iamClient, &computeInput)
 	if err != nil {
diff --git a/pkg/infrastructure/aws/bootstrap.go b/pkg/infrastructure/aws/bootstrap.go
@@ -37,7 +37,7 @@ func createBootstrapResources(ctx context.Context, logger logrus.FieldLogger, ec
 	}
 
 	profileName := fmt.Sprintf("%s-bootstrap", input.infraID)
-	instanceProfile, err := createBootstrapInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.tags)
+	instanceProfile, err := createBootstrapInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.partitionDNSSuffix, input.tags)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create bootstrap instance profile: %w", err)
 	}
@@ -167,22 +167,8 @@ func limitTags(tags map[string]string, size int) map[string]string {
 	return resized
 }
 
-func createBootstrapInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, tags map[string]string) (*iam.InstanceProfile, error) {
-	const (
-		assumeRolePolicy = `{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": "sts:AssumeRole",
-            "Principal": {
-                "Service": "ec2.amazonaws.com"
-            },
-            "Effect": "Allow",
-            "Sid": ""
-        }
-    ]
-}`
-		bootstrapPolicy = `{
+func createBootstrapInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {
+	const bootstrapPolicy = `{
   "Version": "2012-10-17",
   "Statement": [
     {
@@ -202,7 +188,20 @@ func createBootstrapInstanceProfile(ctx context.Context, logger logrus.FieldLogg
     }
   ]
 }`
-	)
+
+	assumeRolePolicy := fmt.Sprintf(`{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "Service": "ec2.%s"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}`, partitionDNSSuffix)
 
 	profileInput := &instanceProfileOptions{
 		namePrefix:       name,
diff --git a/pkg/infrastructure/aws/compute.go b/pkg/infrastructure/aws/compute.go
@@ -10,36 +10,37 @@ import (
 )
 
 type computeInputOptions struct {
-	infraID string
-	tags    map[string]string
+	infraID            string
+	partitionDNSSuffix string
+	tags               map[string]string
 }
 
 func createComputeResources(ctx context.Context, logger logrus.FieldLogger, iamClient iamiface.IAMAPI, input *computeInputOptions) error {
 	profileName := fmt.Sprintf("%s-worker", input.infraID)
-	_, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.tags)
+	_, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.partitionDNSSuffix, input.tags)
 	if err != nil {
 		return fmt.Errorf("failed to create compute instance profile: %w", err)
 	}
 	logger.Infoln("Created compute instance profile")
 	return nil
 }
 
-func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, tags map[string]string) (*iam.InstanceProfile, error) {
-	const (
-		assumeRolePolicy = `{
+func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {
+	assumeRolePolicy := fmt.Sprintf(`{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "ec2.%s"
             },
             "Effect": "Allow",
             "Sid": ""
         }
     ]
-}`
-		policy = `{
+}`, partitionDNSSuffix)
+
+	const policy = `{
   "Version": "2012-10-17",
   "Statement": [
     {
@@ -52,7 +53,6 @@ func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger
     }
   ]
 }`
-	)
 
 	input := &instanceProfileOptions{
 		namePrefix:       name,
diff --git a/pkg/infrastructure/aws/controlplane.go b/pkg/infrastructure/aws/controlplane.go
@@ -26,7 +26,7 @@ type controlPlaneOutput struct {
 
 func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger, ec2Client ec2iface.EC2API, iamClient iamiface.IAMAPI, elbClient elbv2iface.ELBV2API, input *controlPlaneInputOptions) (*controlPlaneOutput, error) {
 	profileName := fmt.Sprintf("%s-master", input.infraID)
-	instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.tags)
+	instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.partitionDNSSuffix, input.tags)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create control plane instance profile: %w", err)
 	}
@@ -51,22 +51,22 @@ func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger,
 	return &controlPlaneOutput{controlPlaneIPs: instanceIPs}, nil
 }
 
-func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, tags map[string]string) (*iam.InstanceProfile, error) {
-	const (
-		assumeRolePolicy = `{
+func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {
+	assumeRolePolicy := fmt.Sprintf(`{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "ec2.%s"
             },
             "Effect": "Allow",
             "Sid": ""
         }
     ]
-}`
-		policy = `{
+}`, partitionDNSSuffix)
+
+	const policy = `{
   "Version": "2012-10-17",
   "Statement": [
     {
@@ -115,7 +115,6 @@ func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldL
     }
   ]
 }`
-	)
 
 	profileInput := &instanceProfileOptions{
 		namePrefix:       name,
diff --git a/pkg/infrastructure/aws/instance.go b/pkg/infrastructure/aws/instance.go
@@ -36,6 +36,7 @@ type instanceInputOptions struct {
 	instanceProfileARN string
 	volumeType         string
 	metadataAuth       string
+	partitionDNSSuffix string
 	volumeSize         int64
 	volumeIOPS         int64
 	isEncrypted        bool

Original file line number	Diff line number	Diff line change
`@@ -10,36 +10,37 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`type computeInputOptions struct {`
`13`		`- infraID string`
`14`		`- tags map[string]string`
	`13`	`+ infraID string`
	`14`	`+ partitionDNSSuffix string`
	`15`	`+ tags map[string]string`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`func createComputeResources(ctx context.Context, logger logrus.FieldLogger, iamClient iamiface.IAMAPI, input *computeInputOptions) error {`
`18`	`19`	`profileName := fmt.Sprintf("%s-worker", input.infraID)`
`19`		`- _, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.tags)`
	`20`	`+ _, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.partitionDNSSuffix, input.tags)`
`20`	`21`	`if err != nil {`
`21`	`22`	`return fmt.Errorf("failed to create compute instance profile: %w", err)`
`22`	`23`	`}`
`23`	`24`	`logger.Infoln("Created compute instance profile")`
`24`	`25`	`return nil`
`25`	`26`	`}`
`26`	`27`
`27`		`-func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, tags map[string]string) (*iam.InstanceProfile, error) {`
`28`		`- const (`
`29`		- assumeRolePolicy = `{
	`28`	`+func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {`
	`29`	+ assumeRolePolicy := fmt.Sprintf(`{
`30`	`30`	`"Version": "2012-10-17",`
`31`	`31`	`"Statement": [`
`32`	`32`	`{`
`33`	`33`	`"Action": "sts:AssumeRole",`
`34`	`34`	`"Principal": {`
`35`		`- "Service": "ec2.amazonaws.com"`
	`35`	`+ "Service": "ec2.%s"`
`36`	`36`	`},`
`37`	`37`	`"Effect": "Allow",`
`38`	`38`	`"Sid": ""`
`39`	`39`	`}`
`40`	`40`	`]`
`41`		-}`
`42`		- policy = `{
	`41`	+}`, partitionDNSSuffix)
	`42`	`+`
	`43`	+ const policy = `{
`43`	`44`	`"Version": "2012-10-17",`
`44`	`45`	`"Statement": [`
`45`	`46`	`{`
`@@ -52,7 +53,6 @@ func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger`
`52`	`53`	`}`
`53`	`54`	`]`
`54`	`55`	}`
`55`		`- )`
`56`	`56`
`57`	`57`	`input := &instanceProfileOptions{`
`58`	`58`	`namePrefix: name,`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ type controlPlaneOutput struct {`
`26`	`26`
`27`	`27`	`func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger, ec2Client ec2iface.EC2API, iamClient iamiface.IAMAPI, elbClient elbv2iface.ELBV2API, input controlPlaneInputOptions) (controlPlaneOutput, error) {`
`28`	`28`	`profileName := fmt.Sprintf("%s-master", input.infraID)`
`29`		`- instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.tags)`
	`29`	`+ instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.partitionDNSSuffix, input.tags)`
`30`	`30`	`if err != nil {`
`31`	`31`	`return nil, fmt.Errorf("failed to create control plane instance profile: %w", err)`
`32`	`32`	`}`
`@@ -51,22 +51,22 @@ func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger,`
`51`	`51`	`return &controlPlaneOutput{controlPlaneIPs: instanceIPs}, nil`
`52`	`52`	`}`
`53`	`53`
`54`		`-func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, tags map[string]string) (*iam.InstanceProfile, error) {`
`55`		`- const (`
`56`		- assumeRolePolicy = `{
	`54`	`+func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {`
	`55`	+ assumeRolePolicy := fmt.Sprintf(`{
`57`	`56`	`"Version": "2012-10-17",`
`58`	`57`	`"Statement": [`
`59`	`58`	`{`
`60`	`59`	`"Action": "sts:AssumeRole",`
`61`	`60`	`"Principal": {`
`62`		`- "Service": "ec2.amazonaws.com"`
	`61`	`+ "Service": "ec2.%s"`
`63`	`62`	`},`
`64`	`63`	`"Effect": "Allow",`
`65`	`64`	`"Sid": ""`
`66`	`65`	`}`
`67`	`66`	`]`
`68`		-}`
`69`		- policy = `{
	`67`	+}`, partitionDNSSuffix)
	`68`	`+`
	`69`	+ const policy = `{
`70`	`70`	`"Version": "2012-10-17",`
`71`	`71`	`"Statement": [`
`72`	`72`	`{`
`@@ -115,7 +115,6 @@ func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldL`
`115`	`115`	`}`
`116`	`116`	`]`
`117`	`117`	}`
`118`		`- )`
`119`	`118`
`120`	`119`	`profileInput := &instanceProfileOptions{`
`121`	`120`	`namePrefix: name,`