cluster/aws: tag existing IAM instance roles with "shared".

r4f4 · r4f4 · commit d0af25cad6cd · 2024-07-01T17:19:27.000+02:00
This change kind of reverts openshift#5286. IAM roles created by the Installer are now consistently tagged with "owned". We should also tag BYO roles so we know which clusters are using them, and so that it's not deleted by the installer during cluster destroy.
diff --git a/pkg/asset/cluster/aws/aws.go b/pkg/asset/cluster/aws/aws.go
@@ -7,8 +7,11 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/util/sets"
 
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	awsic "github.com/openshift/installer/pkg/asset/installconfig/aws"
@@ -34,12 +37,11 @@ func Metadata(clusterID, infraID string, config *types.InstallConfig) *awstypes.
 // PreTerraform performs any infrastructure initialization which must
 // happen before Terraform creates the remaining infrastructure.
 func PreTerraform(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
-
 	if err := tagSharedVPCResources(ctx, clusterID, installConfig); err != nil {
 		return err
 	}
 
-	return nil
+	return tagSharedIAMRoles(ctx, clusterID, installConfig)
 }
 
 func tagSharedVPCResources(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
@@ -95,6 +97,64 @@ func tagSharedVPCResources(ctx context.Context, clusterID string, installConfig
 	return nil
 }
 
+func tagSharedIAMRoles(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
+	iamRoles := sets.New[string]()
+	{
+		mpool := awstypes.MachinePool{}
+		mpool.Set(installConfig.Config.AWS.DefaultMachinePlatform)
+		if mp := installConfig.Config.ControlPlane; mp != nil {
+			mpool.Set(mp.Platform.AWS)
+		}
+		if len(mpool.IAMRole) > 0 {
+			iamRoles.Insert(mpool.IAMRole)
+		}
+	}
+
+	for _, compute := range installConfig.Config.Compute {
+		mpool := awstypes.MachinePool{}
+		mpool.Set(installConfig.Config.AWS.DefaultMachinePlatform)
+		mpool.Set(compute.Platform.AWS)
+		if len(mpool.IAMRole) > 0 {
+			iamRoles.Insert(mpool.IAMRole)
+		}
+	}
+
+	// If compute stanza was not defined, it will inherit from DefaultMachinePlatform later on.
+	if installConfig.Config.Compute == nil {
+		mpool := installConfig.Config.AWS.DefaultMachinePlatform
+		if mpool != nil && len(mpool.IAMRole) > 0 {
+			iamRoles.Insert(mpool.IAMRole)
+		}
+	}
+
+	if iamRoles.Len() == 0 {
+		return nil
+	}
+
+	logrus.Debugf("Tagging shared instance roles: %v", sets.List(iamRoles))
+
+	session, err := installConfig.AWS.Session(ctx)
+	if err != nil {
+		return fmt.Errorf("could not create AWS session: %w", err)
+	}
+
+	tagKey, tagValue := sharedTag(clusterID)
+
+	iamClient := iam.New(session, aws.NewConfig().WithRegion(installConfig.Config.Platform.AWS.Region))
+	for role := range iamRoles {
+		if _, err := iamClient.TagRoleWithContext(ctx, &iam.TagRoleInput{
+			RoleName: aws.String(role),
+			Tags: []*iam.Tag{
+				{Key: aws.String(tagKey), Value: aws.String(tagValue)},
+			},
+		}); err != nil {
+			return fmt.Errorf("could not tag %q instance role: %w", role, err)
+		}
+	}
+
+	return nil
+}
+
 func sharedTag(clusterID string) (string, string) {
 	return fmt.Sprintf("kubernetes.io/cluster/%s", clusterID), "shared"
 }
