fix route53 policy parameter calculation

giantswarm · Jan 2, 2024 · b472ee1 · b472ee1
1 parent 2e793e3
commit b472ee1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 14 deletions.
diff --git a/pkg/iam/iam.go b/pkg/iam/iam.go
@@ -58,13 +58,13 @@ type IAMService struct {
 }
 
 type Route53RoleParams struct {
-	EC2ServiceDomain string
-	AccountID        string
-	CloudFrontDomain string
-	Namespace        string
-	ServiceAccount   string
-	PrincipalRoleARN string
-	IsMigrate        bool
+	EC2ServiceDomain           string
+	AccountID                  string
+	CloudFrontDomain           string
+	AdditionalCloudFrontDomain string
+	Namespace                  string
+	ServiceAccount             string
+	PrincipalRoleARN           string
 }
 
 func New(config IAMServiceConfig) (*IAMService, error) {
@@ -178,7 +178,7 @@ func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain
 	return nil
 }
 
-func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string, oldCloudFrontDomain string) (Route53RoleParams, error) {
+func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string, additionalCloudFrontDomain string) (Route53RoleParams, error) {
 	namespace := "kube-system"
 	serviceAccount, err := getServiceAccount(roleTypeToReconcile)
 	if err != nil {
@@ -194,9 +194,8 @@ func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAc
 		ServiceAccount:   serviceAccount,
 	}
 
-	if oldCloudFrontDomain != "" {
-		params.IsMigrate = true
-		params.CloudFrontDomain = oldCloudFrontDomain
+	if additionalCloudFrontDomain != "" {
+		params.AdditionalCloudFrontDomain = additionalCloudFrontDomain
 	}
 
 	return params, nil

diff --git a/pkg/iam/route53_template.go b/pkg/iam/route53_template.go
@@ -14,16 +14,16 @@ const trustIdentityPolicyIRSA = `{
           "{{.CloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
         }
       }
-    }{{if .IsMigrate}},
+    }{{if .AdditionalCloudFrontDomain}},
     {
       "Effect": "Allow",
       "Principal": {
-        "Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.OldCloudFrontDomain}}"
+        "Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.AdditionalCloudFrontDomain}}"
       },
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
         "StringEquals": {
-          "{{.OldCloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
+          "{{.AdditionalCloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
         }
       }
     }