Merge pull request #11836 from olemarkus/no-policy-reconcile

Don't reconcile roles and policies if a profile is provided
2021-06-26 11:29:23 -07:00 · 2021-06-26 11:29:23 -07:00 · 2d75004e19
parent ada21a81cf dc79acb1bb
commit 2d75004e19
1 changed files with 69 additions and 67 deletions
--- a/pkg/model/awsmodel/iam.go
+++ b/pkg/model/awsmodel/iam.go
@ -279,15 +279,6 @@ func (b *IAMModelBuilder) roleKey(role iam.Subject) (string, bool) {
 func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.ModelBuilderContext, shared bool) error {
 	roleKey, _ := b.roleKey(role)

-	iamRole, err := b.buildIAMRole(role, iamName, c)
-	if err != nil {
-		return err
-	}
-
-	if err := b.buildIAMRolePolicy(role, iamName, iamRole, c); err != nil {
-		return err
-	}
-
 	{
 		// To minimize diff for easier code review

@ -297,11 +288,23 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
 				Name:      fi.String(iamName),
 				Lifecycle: b.Lifecycle,
 				Shared:    fi.Bool(shared),
-				Tags:      b.CloudTags(iamName, false),
+				Tags:      b.CloudTags(iamName, shared),
 			}
 			c.AddTask(iamInstanceProfile)
 		}

+		if !shared {
+
+			// Create External Policy tasks
+			iamRole, err := b.buildIAMRole(role, iamName, c)
+			if err != nil {
+				return err
+			}
+
+			{
+				if err := b.buildIAMRolePolicy(role, iamName, iamRole, c); err != nil {
+					return err
+				}
 				{
 					iamInstanceProfileRole := &awstasks.IAMInstanceProfileRole{
 						Name:      fi.String(iamName),
@ -313,8 +316,6 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
 					c.AddTask(iamInstanceProfileRole)
 				}

-		// Create External Policy tasks
-		if !shared {
 				var externalPolicies []string

 				if b.Cluster.Spec.ExternalPolicies != nil {
@ -336,7 +337,7 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
 			}

 			// Generate additional policies if needed, and attach to existing role
-		if !shared {
+			{
 				additionalPolicy := ""
 				if b.Cluster.Spec.AdditionalPolicies != nil {
 					additionalPolicies := *(b.Cluster.Spec.AdditionalPolicies)
@ -372,6 +373,7 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
 				c.AddTask(t)
 			}
 		}
+	}

 	return nil
 }