capa-china (#265)

* capa-china
giantswarm · Mar 7, 2024 · 75011a9 · 75011a9
1 parent 5adaf69
commit 75011a9
Show file tree

Hide file tree

Showing 15 changed files with 70 additions and 53 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- Create a IAM client with specific Region in order to work with AWS China partition.
+- Adjust all IAM policies to include all AWS partitions.
 - Change inline policy document attach logic to recreate it if it's already attached to the role.
 
 ## [0.16.0] - 2024-02-28

diff --git a/controllers/awsmachinepool_controller.go b/controllers/awsmachinepool_controller.go
@@ -41,7 +41,7 @@ import (
 type AWSMachinePoolReconciler struct {
 	client.Client
 	Log              logr.Logger
-	IAMClientFactory func(awsclientgo.ConfigProvider) iamiface.IAMAPI
+	IAMClientFactory func(awsclientgo.ConfigProvider, string) iamiface.IAMAPI
 	AWSClient        awsclient.AwsClientInterface
 }
 

diff --git a/controllers/awsmachinepool_controller_test.go b/controllers/awsmachinepool_controller_test.go
@@ -56,7 +56,7 @@ var _ = Describe("AWSMachinePoolReconciler", func() {
 			Client:    k8sClient,
 			Log:       ctrl.Log,
 			AWSClient: mockAwsClient,
-			IAMClientFactory: func(session awsclientupstream.ConfigProvider) iamiface.IAMAPI {
+			IAMClientFactory: func(session awsclientupstream.ConfigProvider, region string) iamiface.IAMAPI {
 				return mockIAMClient
 			},
 		}

diff --git a/controllers/awsmachinetemplate_controller.go b/controllers/awsmachinetemplate_controller.go
@@ -46,7 +46,7 @@ type AWSMachineTemplateReconciler struct {
 	EnableRoute53Role bool
 	Log               logr.Logger
 	AWSClient         awsclient.AwsClientInterface
-	IAMClientFactory  func(awsclientgo.ConfigProvider) iamiface.IAMAPI
+	IAMClientFactory  func(awsclientgo.ConfigProvider, string) iamiface.IAMAPI
 }
 
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinetemplates,verbs=get;list;watch;create;update;patch;delete

diff --git a/controllers/awsmachinetemplate_controller_test.go b/controllers/awsmachinetemplate_controller_test.go
@@ -57,7 +57,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() {
 			EnableRoute53Role: true,
 			Log:               ctrl.Log,
 			AWSClient:         mockAwsClient,
-			IAMClientFactory: func(session awsclientupstream.ConfigProvider) iamiface.IAMAPI {
+			IAMClientFactory: func(session awsclientupstream.ConfigProvider, region string) iamiface.IAMAPI {
 				return mockIAMClient
 			},
 		}

diff --git a/controllers/awsmanagedcontrolplane_controller.go b/controllers/awsmanagedcontrolplane_controller.go
@@ -41,7 +41,7 @@ type AWSManagedControlPlaneReconciler struct {
 	client.Client
 	Log              logr.Logger
 	AWSClient        awsclient.AwsClientInterface
-	IAMClientFactory func(awsclientgo.ConfigProvider) iamiface.IAMAPI
+	IAMClientFactory func(awsclientgo.ConfigProvider, string) iamiface.IAMAPI
 }
 
 func (r *AWSManagedControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

diff --git a/controllers/common_test.go b/controllers/common_test.go
@@ -37,15 +37,15 @@ var certManagerRoleInfo = RoleInfo{
     {
       "Effect": "Allow",
       "Action": "route53:GetChange",
-      "Resource": "arn:aws:route53:::change/*"
+      "Resource": "arn:*:route53:::change/*"
     },
     {
       "Effect": "Allow",
       "Action": [
         "route53:ChangeResourceRecordSets",
         "route53:ListResourceRecordSets"
       ],
-      "Resource": "arn:aws:route53:::hostedzone/*"
+      "Resource": "arn:*:route53:::hostedzone/*"
     },
     {
       "Effect": "Allow",
@@ -88,7 +88,7 @@ var externalDnsRoleInfo = RoleInfo{
     {
       "Action": "route53:ChangeResourceRecordSets",
       "Resource": [
-        "arn:aws:route53:::hostedzone/*"
+        "arn:*:route53:::hostedzone/*"
       ],
       "Effect": "Allow"
     },
@@ -217,7 +217,7 @@ var ALBControllerRoleInfo = RoleInfo{
             "Action": [
                 "ec2:CreateTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Resource": "arn:*:ec2:*:*:security-group/*",
             "Condition": {
                 "StringEquals": {
                     "ec2:CreateAction": "CreateSecurityGroup"
@@ -233,7 +233,7 @@ var ALBControllerRoleInfo = RoleInfo{
                 "ec2:CreateTags",
                 "ec2:DeleteTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Resource": "arn:*:ec2:*:*:security-group/*",
             "Condition": {
                 "Null": {
                     "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
@@ -285,9 +285,9 @@ var ALBControllerRoleInfo = RoleInfo{
                 "elasticloadbalancing:RemoveTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+                "arn:*:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/app/*/*"
             ],
             "Condition": {
                 "Null": {
@@ -303,10 +303,10 @@ var ALBControllerRoleInfo = RoleInfo{
                 "elasticloadbalancing:RemoveTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+                "arn:*:elasticloadbalancing:*:*:listener/net/*/*/*",
+                "arn:*:elasticloadbalancing:*:*:listener/app/*/*/*",
+                "arn:*:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+                "arn:*:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
             ]
         },
         {
@@ -334,9 +334,9 @@ var ALBControllerRoleInfo = RoleInfo{
                 "elasticloadbalancing:AddTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+                "arn:*:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/app/*/*"
             ],
             "Condition": {
                 "StringEquals": {
@@ -356,7 +356,7 @@ var ALBControllerRoleInfo = RoleInfo{
                 "elasticloadbalancing:RegisterTargets",
                 "elasticloadbalancing:DeregisterTargets"
             ],
-            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+            "Resource": "arn:*:elasticloadbalancing:*:*:targetgroup/*/*"
         },
         {
             "Effect": "Allow",
@@ -423,8 +423,8 @@ var ebsCsiDriverRoleInfo = RoleInfo{
         "ec2:CreateTags"
       ],
       "Resource": [
-        "arn:aws:ec2:*:*:volume/*",
-        "arn:aws:ec2:*:*:snapshot/*"
+        "arn:*:ec2:*:*:volume/*",
+        "arn:*:ec2:*:*:snapshot/*"
       ],
       "Condition": {
         "StringEquals": {
@@ -441,8 +441,8 @@ var ebsCsiDriverRoleInfo = RoleInfo{
         "ec2:DeleteTags"
       ],
       "Resource": [
-        "arn:aws:ec2:*:*:volume/*",
-        "arn:aws:ec2:*:*:snapshot/*"
+        "arn:*:ec2:*:*:volume/*",
+        "arn:*:ec2:*:*:snapshot/*"
       ]
     },
     {

diff --git a/main.go b/main.go
@@ -23,6 +23,7 @@ import (
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 
+	"github.com/aws/aws-sdk-go/aws"
 	awsclientgo "github.com/aws/aws-sdk-go/aws/client"
 	awsiam "github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
@@ -107,8 +108,8 @@ func main() {
 		os.Exit(1)
 	}
 
-	iamClientFactory := func(session awsclientgo.ConfigProvider) iamiface.IAMAPI {
-		return awsiam.New(session)
+	iamClientFactory := func(session awsclientgo.ConfigProvider, region string) iamiface.IAMAPI {
+		return awsiam.New(session, &aws.Config{Region: aws.String(region)})
 	}
 
 	if err = (&controllers.AWSMachineTemplateReconciler{

diff --git a/pkg/iam/alb_controller_template.go b/pkg/iam/alb_controller_template.go
@@ -87,7 +87,7 @@ const ALBControllerPolicyTemplate = `{
             "Action": [
                 "ec2:CreateTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Resource": "arn:*:ec2:*:*:security-group/*",
             "Condition": {
                 "StringEquals": {
                     "ec2:CreateAction": "CreateSecurityGroup"
@@ -103,7 +103,7 @@ const ALBControllerPolicyTemplate = `{
                 "ec2:CreateTags",
                 "ec2:DeleteTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Resource": "arn:*:ec2:*:*:security-group/*",
             "Condition": {
                 "Null": {
                     "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
@@ -155,9 +155,9 @@ const ALBControllerPolicyTemplate = `{
                 "elasticloadbalancing:RemoveTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+                "arn:*:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/app/*/*"
             ],
             "Condition": {
                 "Null": {
@@ -173,10 +173,10 @@ const ALBControllerPolicyTemplate = `{
                 "elasticloadbalancing:RemoveTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+                "arn:*:elasticloadbalancing:*:*:listener/net/*/*/*",
+                "arn:*:elasticloadbalancing:*:*:listener/app/*/*/*",
+                "arn:*:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+                "arn:*:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
             ]
         },
         {
@@ -204,9 +204,9 @@ const ALBControllerPolicyTemplate = `{
                 "elasticloadbalancing:AddTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+                "arn:*:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:*:elasticloadbalancing:*:*:loadbalancer/app/*/*"
             ],
             "Condition": {
                 "StringEquals": {
@@ -226,7 +226,7 @@ const ALBControllerPolicyTemplate = `{
                 "elasticloadbalancing:RegisterTargets",
                 "elasticloadbalancing:DeregisterTargets"
             ],
-            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+            "Resource": "arn:*:elasticloadbalancing:*:*:targetgroup/*/*"
         },
         {
             "Effect": "Allow",

diff --git a/pkg/iam/bastion_template.go b/pkg/iam/bastion_template.go
@@ -13,7 +13,7 @@ const bastionPolicyTemplate = `{
         "s3:GetObjectVersion"
       ],
       "Resource": [
-        "arn:aws:s3:::*-capa-*"
+        "arn:*:s3:::*-capa-*"
       ],
       "Effect": "Allow"
     }

diff --git a/pkg/iam/ebs_csi_driver_template.go b/pkg/iam/ebs_csi_driver_template.go
@@ -25,8 +25,8 @@ const EBSCSIDriverPolicyTemplate = `{
         "ec2:CreateTags"
       ],
       "Resource": [
-        "arn:aws:ec2:*:*:volume/*",
-        "arn:aws:ec2:*:*:snapshot/*"
+        "arn:*:ec2:*:*:volume/*",
+        "arn:*:ec2:*:*:snapshot/*"
       ],
       "Condition": {
         "StringEquals": {
@@ -43,8 +43,8 @@ const EBSCSIDriverPolicyTemplate = `{
         "ec2:DeleteTags"
       ],
       "Resource": [
-        "arn:aws:ec2:*:*:volume/*",
-        "arn:aws:ec2:*:*:snapshot/*"
+        "arn:*:ec2:*:*:volume/*",
+        "arn:*:ec2:*:*:snapshot/*"
       ]
     },
     {

diff --git a/pkg/iam/iam.go b/pkg/iam/iam.go
@@ -45,7 +45,7 @@ type IAMServiceConfig struct {
 	PrincipalRoleARN string
 	CustomTags       map[string]string
 
-	IAMClientFactory func(awsclientgo.ConfigProvider) iamiface.IAMAPI
+	IAMClientFactory func(awsclientgo.ConfigProvider, string) iamiface.IAMAPI
 }
 
 type IAMService struct {
@@ -61,6 +61,7 @@ type IAMService struct {
 }
 
 type Route53RoleParams struct {
+	AWSDomain                  string
 	EC2ServiceDomain           string
 	AccountID                  string
 	CloudFrontDomain           string
@@ -86,7 +87,7 @@ func New(config IAMServiceConfig) (*IAMService, error) {
 	if !(config.RoleType == ControlPlaneRole || config.RoleType == NodesRole || config.RoleType == BastionRole || config.RoleType == IRSARole) {
 		return nil, fmt.Errorf("cannot create IAMService with invalid RoleType '%s'", config.RoleType)
 	}
-	iamClient := config.IAMClientFactory(config.AWSSession)
+	iamClient := config.IAMClientFactory(config.AWSSession, config.Region)
 	eksClient := eks.New(config.AWSSession, &aws.Config{Region: aws.String(config.Region)})
 
 	l := config.Log.WithValues("clusterName", config.ClusterName, "iam-role", config.RoleType)
@@ -144,9 +145,11 @@ func (s *IAMService) ReconcileKiamRole() error {
 	}
 
 	params := struct {
+		AWSDomain           string
 		ControlPlaneRoleARN string
 		EC2ServiceDomain    string
 	}{
+		AWSDomain:           awsDomain(s.region),
 		ControlPlaneRoleARN: controlPlaneRoleARN,
 		EC2ServiceDomain:    ec2ServiceDomain(s.region),
 	}
@@ -190,6 +193,7 @@ func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAc
 	}
 
 	params := Route53RoleParams{
+		AWSDomain:        awsDomain(s.region),
 		EC2ServiceDomain: ec2ServiceDomain(s.region),
 		AccountID:        awsAccountID,
 		CloudFrontDomain: cloudFrontDomain,

diff --git a/pkg/iam/iam_test.go b/pkg/iam/iam_test.go
@@ -48,7 +48,7 @@ var _ = Describe("ReconcileRole", func() {
 			PrincipalRoleARN: "test-principal-role-arn",
 			Log:              ctrl.Log,
 			AWSSession:       sess,
-			IAMClientFactory: func(session awsclientgo.ConfigProvider) iamiface.IAMAPI {
+			IAMClientFactory: func(session awsclientgo.ConfigProvider, region string) iamiface.IAMAPI {
 				return mockIAMClient
 			},
 		}

diff --git a/pkg/iam/route53_template.go b/pkg/iam/route53_template.go
@@ -6,7 +6,7 @@ const trustIdentityPolicyIRSA = `{
     {
       "Effect": "Allow",
       "Principal": {
-        "Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.CloudFrontDomain}}"
+        "Federated": "arn:{{.AWSDomain}}:iam::{{.AccountID}}:oidc-provider/{{.CloudFrontDomain}}"
       },
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
@@ -18,7 +18,7 @@ const trustIdentityPolicyIRSA = `{
     {
       "Effect": "Allow",
       "Principal": {
-        "Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.AdditionalCloudFrontDomain}}"
+        "Federated": "arn:{{.AWSDomain}}:iam::{{.AccountID}}:oidc-provider/{{.AdditionalCloudFrontDomain}}"
       },
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
@@ -38,7 +38,7 @@ const route53RolePolicyTemplate = `{
     {
       "Action": "route53:ChangeResourceRecordSets",
       "Resource": [
-        "arn:aws:route53:::hostedzone/*"
+        "arn:*:route53:::hostedzone/*"
       ],
       "Effect": "Allow"
     },
@@ -60,15 +60,15 @@ const route53RolePolicyTemplateForCertManager = `{
     {
       "Effect": "Allow",
       "Action": "route53:GetChange",
-      "Resource": "arn:aws:route53:::change/*"
+      "Resource": "arn:*:route53:::change/*"
     },
     {
       "Effect": "Allow",
       "Action": [
         "route53:ChangeResourceRecordSets",
         "route53:ListResourceRecordSets"
       ],
-      "Resource": "arn:aws:route53:::hostedzone/*"
+      "Resource": "arn:*:route53:::hostedzone/*"
     },
     {
       "Effect": "Allow",