mirror of https://github.com/kubernetes/kops.git
Add tagging support for AWS IAM Roles
This commit is contained in:
Peter Rifel
parent
aff0ae2d39
commit
4ee5d7a543
|
|
@ -64,6 +64,7 @@ func (m *MockIAM) CreateRole(request *iam.CreateRoleInput) (*iam.CreateRoleOutpu
|
||||||
},
|
},
|
||||||
RoleName: request.RoleName,
|
RoleName: request.RoleName,
|
||||||
RoleId: &roleID,
|
RoleId: &roleID,
|
||||||
|
Tags: request.Tags,
|
||||||
}
|
}
|
||||||
|
|
||||||
if m.Roles == nil {
|
if m.Roles == nil {
|
||||||
|
|
|
||||||
|
|
@ -136,6 +136,7 @@ func (b *IAMModelBuilder) buildIAMRole(role iam.Subject, iamName string, c *fi.M
|
||||||
Lifecycle: b.Lifecycle,
|
Lifecycle: b.Lifecycle,
|
||||||
|
|
||||||
RolePolicyDocument: rolePolicy,
|
RolePolicyDocument: rolePolicy,
|
||||||
|
Tags: b.CloudTags(iamName, false),
|
||||||
}
|
}
|
||||||
|
|
||||||
if isServiceAccount {
|
if isServiceAccount {
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,8 @@ type IAMRole struct {
|
||||||
RolePolicyDocument fi.Resource // "inline" IAM policy
|
RolePolicyDocument fi.Resource // "inline" IAM policy
|
||||||
PermissionsBoundary *string
|
PermissionsBoundary *string
|
||||||
|
|
||||||
|
Tags map[string]string
|
||||||
|
|
||||||
// ExportWithId will expose the name & ARN for reuse as part of a larger system. Only supported by terraform currently.
|
// ExportWithId will expose the name & ARN for reuse as part of a larger system. Only supported by terraform currently.
|
||||||
ExportWithID *string
|
ExportWithID *string
|
||||||
}
|
}
|
||||||
|
|
@ -110,6 +112,7 @@ func (e *IAMRole) Find(c *fi.Context) (*IAMRole, error) {
|
||||||
|
|
||||||
actual.RolePolicyDocument = fi.NewStringResource(actualPolicy)
|
actual.RolePolicyDocument = fi.NewStringResource(actualPolicy)
|
||||||
}
|
}
|
||||||
|
actual.Tags = mapIAMTagsToMap(r.Tags)
|
||||||
|
|
||||||
klog.V(2).Infof("found matching IAMRole %q", aws.StringValue(actual.ID))
|
klog.V(2).Infof("found matching IAMRole %q", aws.StringValue(actual.ID))
|
||||||
e.ID = actual.ID
|
e.ID = actual.ID
|
||||||
|
|
@ -150,6 +153,7 @@ func (_ *IAMRole) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMRole) error
|
||||||
request := &iam.CreateRoleInput{}
|
request := &iam.CreateRoleInput{}
|
||||||
request.AssumeRolePolicyDocument = aws.String(policy)
|
request.AssumeRolePolicyDocument = aws.String(policy)
|
||||||
request.RoleName = e.Name
|
request.RoleName = e.Name
|
||||||
|
request.Tags = mapToIAMTags(e.Tags)
|
||||||
|
|
||||||
if e.PermissionsBoundary != nil {
|
if e.PermissionsBoundary != nil {
|
||||||
request.PermissionsBoundary = e.PermissionsBoundary
|
request.PermissionsBoundary = e.PermissionsBoundary
|
||||||
|
|
@ -215,7 +219,32 @@ func (_ *IAMRole) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMRole) error
|
||||||
return fmt.Errorf("error updating IAMRole: %v", err)
|
return fmt.Errorf("error updating IAMRole: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
if changes.Tags != nil {
|
||||||
|
if len(a.Tags) > 0 {
|
||||||
|
existingTagKeys := make([]*string, 0)
|
||||||
|
for k := range a.Tags {
|
||||||
|
existingTagKeys = append(existingTagKeys, &k)
|
||||||
|
}
|
||||||
|
untagRequest := &iam.UntagRoleInput{
|
||||||
|
RoleName: e.Name,
|
||||||
|
TagKeys: existingTagKeys,
|
||||||
|
}
|
||||||
|
_, err = t.Cloud.IAM().UntagRole(untagRequest)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("error untagging IAMRole: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(e.Tags) > 0 {
|
||||||
|
tagRequest := &iam.TagRoleInput{
|
||||||
|
RoleName: e.Name,
|
||||||
|
Tags: mapToIAMTags(e.Tags),
|
||||||
|
}
|
||||||
|
_, err = t.Cloud.IAM().TagRole(tagRequest)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("error tagging IAMRole: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -227,6 +256,7 @@ type terraformIAMRole struct {
|
||||||
Name *string `json:"name" cty:"name"`
|
Name *string `json:"name" cty:"name"`
|
||||||
AssumeRolePolicy *terraform.Literal `json:"assume_role_policy" cty:"assume_role_policy"`
|
AssumeRolePolicy *terraform.Literal `json:"assume_role_policy" cty:"assume_role_policy"`
|
||||||
PermissionsBoundary *string `json:"permissions_boundary,omitempty" cty:"permissions_boundary"`
|
PermissionsBoundary *string `json:"permissions_boundary,omitempty" cty:"permissions_boundary"`
|
||||||
|
Tags map[string]string `json:"tags,omitempty" cty:"tags"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ *IAMRole) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *IAMRole) error {
|
func (_ *IAMRole) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *IAMRole) error {
|
||||||
|
|
@ -238,6 +268,7 @@ func (_ *IAMRole) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *I
|
||||||
tf := &terraformIAMRole{
|
tf := &terraformIAMRole{
|
||||||
Name: e.Name,
|
Name: e.Name,
|
||||||
AssumeRolePolicy: policy,
|
AssumeRolePolicy: policy,
|
||||||
|
Tags: e.Tags,
|
||||||
}
|
}
|
||||||
|
|
||||||
if e.PermissionsBoundary != nil {
|
if e.PermissionsBoundary != nil {
|
||||||
|
|
@ -260,6 +291,7 @@ type cloudformationIAMRole struct {
|
||||||
RoleName *string `json:"RoleName"`
|
RoleName *string `json:"RoleName"`
|
||||||
AssumeRolePolicyDocument map[string]interface{}
|
AssumeRolePolicyDocument map[string]interface{}
|
||||||
PermissionsBoundary *string `json:"PermissionsBoundary,omitempty"`
|
PermissionsBoundary *string `json:"PermissionsBoundary,omitempty"`
|
||||||
|
Tags []cloudformationTag `json:"Tags,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ *IAMRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *IAMRole) error {
|
func (_ *IAMRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *IAMRole) error {
|
||||||
|
|
@ -277,6 +309,7 @@ func (_ *IAMRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a
|
||||||
cf := &cloudformationIAMRole{
|
cf := &cloudformationIAMRole{
|
||||||
RoleName: e.Name,
|
RoleName: e.Name,
|
||||||
AssumeRolePolicyDocument: data,
|
AssumeRolePolicyDocument: data,
|
||||||
|
Tags: buildCloudformationTags(e.Tags),
|
||||||
}
|
}
|
||||||
|
|
||||||
if e.PermissionsBoundary != nil {
|
if e.PermissionsBoundary != nil {
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@ import (
|
||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
"github.com/aws/aws-sdk-go/service/ec2"
|
"github.com/aws/aws-sdk-go/service/ec2"
|
||||||
|
"github.com/aws/aws-sdk-go/service/iam"
|
||||||
)
|
)
|
||||||
|
|
||||||
func mapEC2TagsToMap(tags []*ec2.Tag) map[string]string {
|
func mapEC2TagsToMap(tags []*ec2.Tag) map[string]string {
|
||||||
|
|
@ -37,6 +38,34 @@ func mapEC2TagsToMap(tags []*ec2.Tag) map[string]string {
|
||||||
return m
|
return m
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func mapIAMTagsToMap(tags []*iam.Tag) map[string]string {
|
||||||
|
if tags == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
m := make(map[string]string)
|
||||||
|
for _, t := range tags {
|
||||||
|
if strings.HasPrefix(aws.StringValue(t.Key), "aws:cloudformation:") {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
m[aws.StringValue(t.Key)] = aws.StringValue(t.Value)
|
||||||
|
}
|
||||||
|
return m
|
||||||
|
}
|
||||||
|
|
||||||
|
func mapToIAMTags(tags map[string]string) []*iam.Tag {
|
||||||
|
if tags == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
m := make([]*iam.Tag, 0)
|
||||||
|
for k, v := range tags {
|
||||||
|
m = append(m, &iam.Tag{
|
||||||
|
Key: aws.String(k),
|
||||||
|
Value: aws.String(v),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
return m
|
||||||
|
}
|
||||||
|
|
||||||
func findNameTag(tags []*ec2.Tag) *string {
|
func findNameTag(tags []*ec2.Tag) *string {
|
||||||
for _, tag := range tags {
|
for _, tag := range tags {
|
||||||
if aws.StringValue(tag.Key) == "Name" {
|
if aws.StringValue(tag.Key) == "Name" {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue