diff --git a/controllers/awsmachinetemplate_controller_test.go b/controllers/awsmachinetemplate_controller_test.go index c75b8565..ffe9bad2 100644 --- a/controllers/awsmachinetemplate_controller_test.go +++ b/controllers/awsmachinetemplate_controller_test.go @@ -331,6 +331,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() { externalDnsRoleInfo, certManagerRoleInfo, ALBControllerRoleInfo, + ebsCsiDriverRoleInfo, } expectedIAMTags := []*iam.Tag{ diff --git a/controllers/common_test.go b/controllers/common_test.go index 43a76770..0cbf7d74 100644 --- a/controllers/common_test.go +++ b/controllers/common_test.go @@ -374,3 +374,163 @@ var ALBControllerRoleInfo = RoleInfo{ ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ALBController-Role", } + +var ebsCsiDriverRoleInfo = RoleInfo{ + ExpectedName: "test-cluster-ebs-csi-driver", + + ExpectedAssumeRolePolicyDocument: `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::012345678901:oidc-provider/irsa.test.gaws.gigantic.io" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:kube-system:ebs-csi-driver-sa" + } + } + } + ] +} +`, + + ExpectedPolicyName: "control-plane-test-cluster-policy", + ExpectedPolicyDocument: `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSnapshot", + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ], + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/ebs.csi.aws.com/cluster": "true" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/CSIVolumeName": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/CSIVolumeName": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteVolume" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteSnapshot" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/CSIVolumeSnapshotName": "*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteSnapshot" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" + } + } + } + ] +}`, + + ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ebs-csi-driver", +} diff --git a/pkg/iam/ebs_csi_driver_template.go b/pkg/iam/ebs_csi_driver_template.go index 6236cfdd..cb124a3a 100644 --- a/pkg/iam/ebs_csi_driver_template.go +++ b/pkg/iam/ebs_csi_driver_template.go @@ -132,5 +132,4 @@ const EBSCSIDriverPolicyTemplate = `{ } } ] -} -` +}`