r4f4
diff --git a/‎pkg/asset/cluster/aws/aws.go‎
Lines changed: 62 additions & 2 deletions b/‎pkg/asset/cluster/aws/aws.go‎
Lines changed: 62 additions & 2 deletions
diff --git a/‎pkg/asset/installconfig/aws/permissions.go‎
Lines changed: 145 additions & 12 deletions b/‎pkg/asset/installconfig/aws/permissions.go‎
Lines changed: 145 additions & 12 deletions
@@ -7,8 +7,11 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	awsic "github.com/openshift/installer/pkg/asset/installconfig/aws"
@@ -34,12 +37,11 @@ func Metadata(clusterID, infraID string, config *types.InstallConfig) *awstypes.
 // PreTerraform performs any infrastructure initialization which must
 // happen before Terraform creates the remaining infrastructure.
 func PreTerraform(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
-
 	if err := tagSharedVPCResources(ctx, clusterID, installConfig); err != nil {
 		return err
 	}
 
-	return nil
+	return tagSharedIAMRoles(ctx, clusterID, installConfig)
 }
 
 func tagSharedVPCResources(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
@@ -95,6 +97,64 @@ func tagSharedVPCResources(ctx context.Context, clusterID string, installConfig
 	return nil
 }
 
+func tagSharedIAMRoles(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
+	iamRoles := sets.New[string]()
+	{
+		mpool := awstypes.MachinePool{}
+		mpool.Set(installConfig.Config.AWS.DefaultMachinePlatform)
+		if mp := installConfig.Config.ControlPlane; mp != nil {
+			mpool.Set(mp.Platform.AWS)
+		}
+		if len(mpool.IAMRole) > 0 {
+			iamRoles.Insert(mpool.IAMRole)
+		}
+	}
+
+	for _, compute := range installConfig.Config.Compute {
+		mpool := awstypes.MachinePool{}
+		mpool.Set(installConfig.Config.AWS.DefaultMachinePlatform)
+		mpool.Set(compute.Platform.AWS)
+		if len(mpool.IAMRole) > 0 {
+			iamRoles.Insert(mpool.IAMRole)
+		}
+	}
+
+	// If compute stanza was not defined, it will inherit from DefaultMachinePlatform later on.
+	if installConfig.Config.Compute == nil {
+		mpool := installConfig.Config.AWS.DefaultMachinePlatform
+		if mpool != nil && len(mpool.IAMRole) > 0 {
+			iamRoles.Insert(mpool.IAMRole)
+		}
+	}
+
+	if iamRoles.Len() == 0 {
+		return nil
+	}
+
+	logrus.Debugf("Tagging shared instance roles: %v", sets.List(iamRoles))
+
+	session, err := installConfig.AWS.Session(ctx)
+	if err != nil {
+		return fmt.Errorf("could not create AWS session: %w", err)
+	}
+
+	tagKey, tagValue := sharedTag(clusterID)
+
+	iamClient := iam.New(session, aws.NewConfig().WithRegion(installConfig.Config.Platform.AWS.Region))
+	for role := range iamRoles {
+		if _, err := iamClient.TagRoleWithContext(ctx, &iam.TagRoleInput{
+			RoleName: aws.String(role),
+			Tags: []*iam.Tag{
+				{Key: aws.String(tagKey), Value: aws.String(tagValue)},
+			},
+		}); err != nil {
+			return fmt.Errorf("could not tag %q instance role: %w", role, err)
+		}
+	}
+
+	return nil
+}
+
 func sharedTag(clusterID string) (string, string) {
 	return fmt.Sprintf("kubernetes.io/cluster/%s", clusterID), "shared"
 }
@@ -7,8 +7,11 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	ccaws "github.com/openshift/cloud-credential-operator/pkg/aws"
+	"github.com/openshift/installer/pkg/types"
+	"github.com/openshift/installer/pkg/types/aws"
 )
 
 // PermissionGroup is the group of permissions needed by cluster creation, operation, or teardown.
@@ -30,6 +33,9 @@ const (
 	// PermissionDeleteSharedNetworking is a set of permissions required when the installer destroys resources from a shared-network cluster.
 	PermissionDeleteSharedNetworking PermissionGroup = "delete-shared-networking"
 
+	// PermissionCreateInstanceRole is a set of permissions required when the installer creates instance roles.
+	PermissionCreateInstanceRole PermissionGroup = "create-instance-role"
+
 	// PermissionDeleteSharedInstanceRole is a set of permissions required when the installer destroys resources from a
 	// cluster with user-supplied IAM roles for instances.
 	PermissionDeleteSharedInstanceRole PermissionGroup = "delete-shared-instance-role"
@@ -129,10 +135,7 @@ var permissions = map[PermissionGroup][]string{
 		// IAM related perms
 		"iam:AddRoleToInstanceProfile",
 		"iam:CreateInstanceProfile",
-		"iam:CreateRole",
 		"iam:DeleteInstanceProfile",
-		"iam:DeleteRole",
-		"iam:DeleteRolePolicy",
 		"iam:GetInstanceProfile",
 		"iam:GetRole",
 		"iam:GetRolePolicy",
@@ -141,7 +144,6 @@ var permissions = map[PermissionGroup][]string{
 		"iam:ListRoles",
 		"iam:ListUsers",
 		"iam:PassRole",
-		"iam:PutRolePolicy",
 		"iam:RemoveRoleFromInstanceProfile",
 		"iam:SimulatePrincipalPolicy",
 		"iam:TagInstanceProfile",
@@ -246,6 +248,13 @@ var permissions = map[PermissionGroup][]string{
 	PermissionDeleteSharedNetworking: {
 		"tag:UnTagResources",
 	},
+	// Permissions required for creating an instance role
+	PermissionCreateInstanceRole: {
+		"iam:CreateRole",
+		"iam:DeleteRole",
+		"iam:DeleteRolePolicy",
+		"iam:PutRolePolicy",
+	},
 	// Permissions required for deleting a cluster with shared instance roles
 	PermissionDeleteSharedInstanceRole: {
 		"iam:UntagRole",
@@ -285,14 +294,9 @@ var permissions = map[PermissionGroup][]string{
 // as either capable of creating new credentials for components that interact with the cloud or
 // being able to be passed through as-is to the components that need cloud credentials
 func ValidateCreds(ssn *session.Session, groups []PermissionGroup, region string) error {
-	// Compile a list of permissions based on the permission groups provided
-	requiredPermissions := []string{}
-	for _, group := range groups {
-		groupPerms, ok := permissions[group]
-		if !ok {
-			return fmt.Errorf("unable to access permissions group %s", group)
-		}
-		requiredPermissions = append(requiredPermissions, groupPerms...)
+	requiredPermissions, err := PermissionsList(groups)
+	if err != nil {
+		return err
 	}
 
 	client := ccaws.NewClientFromSession(ssn)
@@ -332,3 +336,132 @@ func ValidateCreds(ssn *session.Session, groups []PermissionGroup, region string
 
 	return errors.New("AWS credentials cannot be used to either create new creds or use as-is")
 }
+
+// RequiredPermissionGroups returns a set of required permissions for a given cluster configuration.
+func RequiredPermissionGroups(ic *types.InstallConfig) []PermissionGroup {
+	permissionGroups := []PermissionGroup{PermissionCreateBase}
+	usingExistingVPC := len(ic.AWS.Subnets) != 0
+	usingExistingPrivateZone := len(ic.AWS.HostedZone) != 0
+
+	if !usingExistingVPC {
+		permissionGroups = append(permissionGroups, PermissionCreateNetworking)
+	}
+
+	if !usingExistingPrivateZone {
+		permissionGroups = append(permissionGroups, PermissionCreateHostedZone)
+	}
+
+	if includesKMSEncryptionKey(ic) {
+		logrus.Debugf("Adding %s to the group of permissions", PermissionKMSEncryptionKeys)
+		permissionGroups = append(permissionGroups, PermissionKMSEncryptionKeys)
+	}
+
+	// Add delete permissions for non-C2S installs.
+	if !aws.IsSecretRegion(ic.AWS.Region) {
+		permissionGroups = append(permissionGroups, PermissionDeleteBase)
+		if usingExistingVPC {
+			permissionGroups = append(permissionGroups, PermissionDeleteSharedNetworking)
+		} else {
+			permissionGroups = append(permissionGroups, PermissionDeleteNetworking)
+		}
+		if !usingExistingPrivateZone {
+			permissionGroups = append(permissionGroups, PermissionDeleteHostedZone)
+		}
+	}
+
+	if ic.AWS.PublicIpv4Pool != "" {
+		permissionGroups = append(permissionGroups, PermissionPublicIpv4Pool)
+	}
+
+	if !ic.AWS.BestEffortDeleteIgnition {
+		permissionGroups = append(permissionGroups, PermissionDeleteIgnitionObjects)
+	}
+
+	if includesCreateInstanceRole(ic) {
+		permissionGroups = append(permissionGroups, PermissionCreateInstanceRole)
+	}
+
+	if includesExistingInstanceRole(ic) {
+		permissionGroups = append(permissionGroups, PermissionDeleteSharedInstanceRole)
+	}
+
+	return permissionGroups
+}
+
+// PermissionsList compiles a list of permissions based on the permission groups provided.
+func PermissionsList(required []PermissionGroup) ([]string, error) {
+	requiredPermissions := sets.New[string]()
+	for _, group := range required {
+		groupPerms, ok := permissions[group]
+		if !ok {
+			return nil, fmt.Errorf("unable to access permissions group %s", group)
+		}
+		requiredPermissions.Insert(groupPerms...)
+	}
+
+	return sets.List(requiredPermissions), nil
+}
+
+// includesExistingInstanceRole checks if at least one BYO instance role is included in the install-config.
+func includesExistingInstanceRole(installConfig *types.InstallConfig) bool {
+	mpool := aws.MachinePool{}
+	mpool.Set(installConfig.AWS.DefaultMachinePlatform)
+
+	if mp := installConfig.ControlPlane; mp != nil {
+		mpool.Set(mp.Platform.AWS)
+	}
+
+	for _, compute := range installConfig.Compute {
+		mpool.Set(compute.Platform.AWS)
+	}
+
+	return len(mpool.IAMRole) > 0
+}
+
+// includesCreateInstanceRole checks if at least one instance role will be created by the installer.
+func includesCreateInstanceRole(installConfig *types.InstallConfig) bool {
+	{
+		mpool := aws.MachinePool{}
+		mpool.Set(installConfig.AWS.DefaultMachinePlatform)
+		if mp := installConfig.ControlPlane; mp != nil {
+			mpool.Set(mp.Platform.AWS)
+		}
+		if len(mpool.IAMRole) == 0 {
+			return true
+		}
+	}
+
+	for _, compute := range installConfig.Compute {
+		mpool := aws.MachinePool{}
+		mpool.Set(installConfig.AWS.DefaultMachinePlatform)
+		mpool.Set(compute.Platform.AWS)
+		if len(mpool.IAMRole) == 0 {
+			return true
+		}
+	}
+
+	if len(installConfig.Compute) > 0 {
+		return false
+	}
+
+	// If compute stanza is not defined, we know it'll inherit the value from DefaultMachinePlatform
+	mpool := aws.MachinePool{}
+	mpool.Set(installConfig.AWS.DefaultMachinePlatform)
+	return len(mpool.IAMRole) == 0
+}
+
+// includesKMSEncryptionKey checks if any KMS encryption keys are included in the install-config.
+func includesKMSEncryptionKey(installConfig *types.InstallConfig) bool {
+	mpool := aws.MachinePool{}
+	mpool.Set(installConfig.AWS.DefaultMachinePlatform)
+
+	if mp := installConfig.ControlPlane; mp != nil {
+		mpool.Set(mp.Platform.AWS)
+	}
+
+	for _, compute := range installConfig.Compute {
+		mpool.Set(compute.Platform.AWS)
+	}
+
+	return len(mpool.KMSKeyARN) > 0
+}