OCPBUGS-26052: aws: altinfra: fix role creation in C2S

r4f4 · r4f4 · commit ed0ef6c00855 · 2024-01-04T22:15:28.000+01:00
When creating the instance role assume policy, we need to take into
account that the ec2 service endpoint will differ according to the
partition. This should fix the following error when deploying on C2S
regions:

```
level=error msg=failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to create bootstrap resources: failed to create bootstrap instance profile: failed to create role (yunjiang-14c2a-t4wp7-bootstrap-role): RequestCanceled: request context canceled
```

because the installer is trying to use the regular `ec2.amazonaws.com`
service suffix instead of the appropriate one.
diff --git a/pkg/infrastructure/aws/aws.go b/pkg/infrastructure/aws/aws.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
@@ -196,29 +197,36 @@ func (a InfraProvider) Provision(dir string, vars []*asset.File) ([]*asset.File,
 		return nil, fmt.Errorf("failed to create security groups: %w", err)
 	}
 
+	partitionDNSSuffix := "amazonaws.com"
+	if ps, found := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), clusterAWSConfig.Region); found {
+		partitionDNSSuffix = ps.DNSSuffix()
+	}
+	logger.Debugf("Using partition DNS suffix: %s", partitionDNSSuffix)
+
 	logger.Infoln("Creating bootstrap resources")
 	bootstrapSubnet := vpcOutput.privateSubnetIDs[0]
 	if usePublicEndpoints {
 		bootstrapSubnet = vpcOutput.publicSubnetIDs[0]
 	}
 	bootstrapInput := bootstrapInputOptions{
 		instanceInputOptions: instanceInputOptions{
-			infraID:           clusterConfig.ClusterID,
-			amiID:             amiID,
-			instanceType:      clusterAWSConfig.MasterInstanceType,
-			iamRole:           clusterAWSConfig.MasterIAMRoleName,
-			volumeType:        "gp2",
-			volumeSize:        30,
-			volumeIOPS:        0,
-			isEncrypted:       true,
-			metadataAuth:      clusterAWSConfig.BootstrapMetadataAuthentication,
-			kmsKeyID:          clusterAWSConfig.KMSKeyID,
-			securityGroupIds:  []string{sgOutput.bootstrap, sgOutput.controlPlane},
-			targetGroupARNs:   lbOutput.targetGroupArns,
-			subnetID:          bootstrapSubnet,
-			associatePublicIP: usePublicEndpoints,
-			userData:          clusterAWSConfig.BootstrapIgnitionStub,
-			tags:              tags,
+			infraID:            clusterConfig.ClusterID,
+			amiID:              amiID,
+			instanceType:       clusterAWSConfig.MasterInstanceType,
+			iamRole:            clusterAWSConfig.MasterIAMRoleName,
+			volumeType:         "gp2",
+			volumeSize:         30,
+			volumeIOPS:         0,
+			isEncrypted:        true,
+			metadataAuth:       clusterAWSConfig.BootstrapMetadataAuthentication,
+			kmsKeyID:           clusterAWSConfig.KMSKeyID,
+			securityGroupIds:   []string{sgOutput.bootstrap, sgOutput.controlPlane},
+			targetGroupARNs:    lbOutput.targetGroupArns,
+			subnetID:           bootstrapSubnet,
+			associatePublicIP:  usePublicEndpoints,
+			userData:           clusterAWSConfig.BootstrapIgnitionStub,
+			partitionDNSSuffix: partitionDNSSuffix,
+			tags:               tags,
 		},
 		ignitionBucket:  clusterAWSConfig.IgnitionBucket,
 		ignitionContent: clusterConfig.IgnitionBootstrap,
@@ -233,21 +241,22 @@ func (a InfraProvider) Provision(dir string, vars []*asset.File) ([]*asset.File,
 	logger.Infoln("Creating control plane resources")
 	controlPlaneInput := controlPlaneInputOptions{
 		instanceInputOptions: instanceInputOptions{
-			infraID:           clusterConfig.ClusterID,
-			amiID:             amiID,
-			instanceType:      clusterAWSConfig.MasterInstanceType,
-			iamRole:           clusterAWSConfig.MasterIAMRoleName,
-			volumeType:        clusterAWSConfig.Type,
-			volumeSize:        clusterAWSConfig.Size,
-			volumeIOPS:        clusterAWSConfig.IOPS,
-			isEncrypted:       clusterAWSConfig.Encrypted,
-			kmsKeyID:          clusterAWSConfig.KMSKeyID,
-			metadataAuth:      clusterAWSConfig.MasterMetadataAuthentication,
-			securityGroupIds:  append(clusterAWSConfig.MasterSecurityGroups, sgOutput.controlPlane),
-			targetGroupARNs:   lbOutput.targetGroupArns,
-			associatePublicIP: len(os.Getenv("OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY")) > 0,
-			userData:          clusterConfig.IgnitionMaster,
-			tags:              tags,
+			infraID:            clusterConfig.ClusterID,
+			amiID:              amiID,
+			instanceType:       clusterAWSConfig.MasterInstanceType,
+			iamRole:            clusterAWSConfig.MasterIAMRoleName,
+			volumeType:         clusterAWSConfig.Type,
+			volumeSize:         clusterAWSConfig.Size,
+			volumeIOPS:         clusterAWSConfig.IOPS,
+			isEncrypted:        clusterAWSConfig.Encrypted,
+			kmsKeyID:           clusterAWSConfig.KMSKeyID,
+			metadataAuth:       clusterAWSConfig.MasterMetadataAuthentication,
+			securityGroupIds:   append(clusterAWSConfig.MasterSecurityGroups, sgOutput.controlPlane),
+			targetGroupARNs:    lbOutput.targetGroupArns,
+			associatePublicIP:  len(os.Getenv("OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY")) > 0,
+			userData:           clusterConfig.IgnitionMaster,
+			partitionDNSSuffix: partitionDNSSuffix,
+			tags:               tags,
 		},
 		nReplicas:         clusterConfig.Masters,
 		privateSubnetIDs:  vpcOutput.privateSubnetIDs,
@@ -261,8 +270,9 @@ func (a InfraProvider) Provision(dir string, vars []*asset.File) ([]*asset.File,
 
 	logger.Infoln("Creating compute resources")
 	computeInput := computeInputOptions{
-		infraID: clusterConfig.ClusterID,
-		tags:    tags,
+		infraID:            clusterConfig.ClusterID,
+		partitionDNSSuffix: partitionDNSSuffix,
+		tags:               tags,
 	}
 	err = createComputeResources(ctx, logger, iamClient, &computeInput)
 	if err != nil {
diff --git a/pkg/infrastructure/aws/bootstrap.go b/pkg/infrastructure/aws/bootstrap.go
@@ -37,7 +37,7 @@ func createBootstrapResources(ctx context.Context, logger logrus.FieldLogger, ec
 	}
 
 	profileName := fmt.Sprintf("%s-bootstrap", input.infraID)
-	instanceProfile, err := createBootstrapInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.tags)
+	instanceProfile, err := createBootstrapInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.partitionDNSSuffix, input.tags)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create bootstrap instance profile: %w", err)
 	}
@@ -167,22 +167,8 @@ func limitTags(tags map[string]string, size int) map[string]string {
 	return resized
 }
 
-func createBootstrapInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, tags map[string]string) (*iam.InstanceProfile, error) {
-	const (
-		assumeRolePolicy = `{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": "sts:AssumeRole",
-            "Principal": {
-                "Service": "ec2.amazonaws.com"
-            },
-            "Effect": "Allow",
-            "Sid": ""
-        }
-    ]
-}`
-		bootstrapPolicy = `{
+func createBootstrapInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {
+	const bootstrapPolicy = `{
   "Version": "2012-10-17",
   "Statement": [
     {
@@ -202,7 +188,20 @@ func createBootstrapInstanceProfile(ctx context.Context, logger logrus.FieldLogg
     }
   ]
 }`
-	)
+
+	assumeRolePolicy := fmt.Sprintf(`{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "Service": "ec2.%s"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}`, partitionDNSSuffix)
 
 	profileInput := &instanceProfileOptions{
 		namePrefix:       name,
diff --git a/pkg/infrastructure/aws/compute.go b/pkg/infrastructure/aws/compute.go
@@ -10,36 +10,37 @@ import (
 )
 
 type computeInputOptions struct {
-	infraID string
-	tags    map[string]string
+	infraID            string
+	partitionDNSSuffix string
+	tags               map[string]string
 }
 
 func createComputeResources(ctx context.Context, logger logrus.FieldLogger, iamClient iamiface.IAMAPI, input *computeInputOptions) error {
 	profileName := fmt.Sprintf("%s-worker", input.infraID)
-	_, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.tags)
+	_, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.partitionDNSSuffix, input.tags)
 	if err != nil {
 		return fmt.Errorf("failed to create compute instance profile: %w", err)
 	}
 	logger.Infoln("Created compute instance profile")
 	return nil
 }
 
-func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, tags map[string]string) (*iam.InstanceProfile, error) {
-	const (
-		assumeRolePolicy = `{
+func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {
+	assumeRolePolicy := fmt.Sprintf(`{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "ec2.%s"
             },
             "Effect": "Allow",
             "Sid": ""
         }
     ]
-}`
-		policy = `{
+}`, partitionDNSSuffix)
+
+	const policy = `{
   "Version": "2012-10-17",
   "Statement": [
     {
@@ -52,7 +53,6 @@ func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger
     }
   ]
 }`
-	)
 
 	input := &instanceProfileOptions{
 		namePrefix:       name,
diff --git a/pkg/infrastructure/aws/controlplane.go b/pkg/infrastructure/aws/controlplane.go
@@ -26,7 +26,7 @@ type controlPlaneOutput struct {
 
 func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger, ec2Client ec2iface.EC2API, iamClient iamiface.IAMAPI, elbClient elbv2iface.ELBV2API, input *controlPlaneInputOptions) (*controlPlaneOutput, error) {
 	profileName := fmt.Sprintf("%s-master", input.infraID)
-	instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.tags)
+	instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.partitionDNSSuffix, input.tags)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create control plane instance profile: %w", err)
 	}
@@ -51,22 +51,22 @@ func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger,
 	return &controlPlaneOutput{controlPlaneIPs: instanceIPs}, nil
 }
 
-func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, tags map[string]string) (*iam.InstanceProfile, error) {
-	const (
-		assumeRolePolicy = `{
+func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {
+	assumeRolePolicy := fmt.Sprintf(`{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "ec2.%s"
             },
             "Effect": "Allow",
             "Sid": ""
         }
     ]
-}`
-		policy = `{
+}`, partitionDNSSuffix)
+
+	const policy = `{
   "Version": "2012-10-17",
   "Statement": [
     {
@@ -115,7 +115,6 @@ func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldL
     }
   ]
 }`
-	)
 
 	profileInput := &instanceProfileOptions{
 		namePrefix:       name,
diff --git a/pkg/infrastructure/aws/instance.go b/pkg/infrastructure/aws/instance.go
@@ -36,6 +36,7 @@ type instanceInputOptions struct {
 	instanceProfileARN string
 	volumeType         string
 	metadataAuth       string
+	partitionDNSSuffix string
 	volumeSize         int64
 	volumeIOPS         int64
 	isEncrypted        bool

Original file line number	Diff line number	Diff line change
`@@ -10,36 +10,37 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`type computeInputOptions struct {`
`13`		`- infraID string`
`14`		`- tags map[string]string`
	`13`	`+ infraID string`
	`14`	`+ partitionDNSSuffix string`
	`15`	`+ tags map[string]string`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`func createComputeResources(ctx context.Context, logger logrus.FieldLogger, iamClient iamiface.IAMAPI, input *computeInputOptions) error {`
`18`	`19`	`profileName := fmt.Sprintf("%s-worker", input.infraID)`
`19`		`- _, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.tags)`
	`20`	`+ _, err := createComputeInstanceProfile(ctx, logger, iamClient, profileName, input.partitionDNSSuffix, input.tags)`
`20`	`21`	`if err != nil {`
`21`	`22`	`return fmt.Errorf("failed to create compute instance profile: %w", err)`
`22`	`23`	`}`
`23`	`24`	`logger.Infoln("Created compute instance profile")`
`24`	`25`	`return nil`
`25`	`26`	`}`
`26`	`27`
`27`		`-func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, tags map[string]string) (*iam.InstanceProfile, error) {`
`28`		`- const (`
`29`		- assumeRolePolicy = `{
	`28`	`+func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {`
	`29`	+ assumeRolePolicy := fmt.Sprintf(`{
`30`	`30`	`"Version": "2012-10-17",`
`31`	`31`	`"Statement": [`
`32`	`32`	`{`
`33`	`33`	`"Action": "sts:AssumeRole",`
`34`	`34`	`"Principal": {`
`35`		`- "Service": "ec2.amazonaws.com"`
	`35`	`+ "Service": "ec2.%s"`
`36`	`36`	`},`
`37`	`37`	`"Effect": "Allow",`
`38`	`38`	`"Sid": ""`
`39`	`39`	`}`
`40`	`40`	`]`
`41`		-}`
`42`		- policy = `{
	`41`	+}`, partitionDNSSuffix)
	`42`	`+`
	`43`	+ const policy = `{
`43`	`44`	`"Version": "2012-10-17",`
`44`	`45`	`"Statement": [`
`45`	`46`	`{`
`@@ -52,7 +53,6 @@ func createComputeInstanceProfile(ctx context.Context, logger logrus.FieldLogger`
`52`	`53`	`}`
`53`	`54`	`]`
`54`	`55`	}`
`55`		`- )`
`56`	`56`
`57`	`57`	`input := &instanceProfileOptions{`
`58`	`58`	`namePrefix: name,`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ type controlPlaneOutput struct {`
`26`	`26`
`27`	`27`	`func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger, ec2Client ec2iface.EC2API, iamClient iamiface.IAMAPI, elbClient elbv2iface.ELBV2API, input controlPlaneInputOptions) (controlPlaneOutput, error) {`
`28`	`28`	`profileName := fmt.Sprintf("%s-master", input.infraID)`
`29`		`- instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.tags)`
	`29`	`+ instanceProfile, err := createControlPlaneInstanceProfile(ctx, logger, iamClient, profileName, input.iamRole, input.partitionDNSSuffix, input.tags)`
`30`	`30`	`if err != nil {`
`31`	`31`	`return nil, fmt.Errorf("failed to create control plane instance profile: %w", err)`
`32`	`32`	`}`
`@@ -51,22 +51,22 @@ func createControlPlaneResources(ctx context.Context, logger logrus.FieldLogger,`
`51`	`51`	`return &controlPlaneOutput{controlPlaneIPs: instanceIPs}, nil`
`52`	`52`	`}`
`53`	`53`
`54`		`-func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, tags map[string]string) (*iam.InstanceProfile, error) {`
`55`		`- const (`
`56`		- assumeRolePolicy = `{
	`54`	`+func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldLogger, client iamiface.IAMAPI, name string, roleName string, partitionDNSSuffix string, tags map[string]string) (*iam.InstanceProfile, error) {`
	`55`	+ assumeRolePolicy := fmt.Sprintf(`{
`57`	`56`	`"Version": "2012-10-17",`
`58`	`57`	`"Statement": [`
`59`	`58`	`{`
`60`	`59`	`"Action": "sts:AssumeRole",`
`61`	`60`	`"Principal": {`
`62`		`- "Service": "ec2.amazonaws.com"`
	`61`	`+ "Service": "ec2.%s"`
`63`	`62`	`},`
`64`	`63`	`"Effect": "Allow",`
`65`	`64`	`"Sid": ""`
`66`	`65`	`}`
`67`	`66`	`]`
`68`		-}`
`69`		- policy = `{
	`67`	+}`, partitionDNSSuffix)
	`68`	`+`
	`69`	+ const policy = `{
`70`	`70`	`"Version": "2012-10-17",`
`71`	`71`	`"Statement": [`
`72`	`72`	`{`
`@@ -115,7 +115,6 @@ func createControlPlaneInstanceProfile(ctx context.Context, logger logrus.FieldL`
`115`	`115`	`}`
`116`	`116`	`]`
`117`	`117`	}`
`118`		`- )`
`119`	`118`
`120`	`119`	`profileInput := &instanceProfileOptions{`
`121`	`120`	`namePrefix: name,`