kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10164 from hakman/fix-cf-tf 

Fix output for CF and TF
This commit is contained in:
Kubernetes Prow Robot 2020-11-04 19:32:53 -08:00 committed by GitHub
parent 3cc074d181 a3a0b91b5f
commit 8043a5e799
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
101 changed files with 897 additions and 773 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/model/iam/iam_builder.go
View File

@ -48,8 +48,8 @@ const PolicyDefaultVersion = "2012-10-17"
// Policy Struct is a collection of fields that form a valid AWS policy document // Policy Struct is a collection of fields that form a valid AWS policy document
type Policy struct { type Policy struct {
Version string
Statement []*Statement Statement []*Statement
Version string
} }
// AsJSON converts the policy document to JSON format (parsable by AWS) // AsJSON converts the policy document to JSON format (parsable by AWS)
@ -146,6 +146,19 @@ func (s *Statement) MarshalJSON() ([]byte, error) {
jw := &jsonWriter{w: &b} jw := &jsonWriter{w: &b}
jw.StartObject() jw.StartObject()
if !s.Action.IsEmpty() {
jw.Field("Action")
jw.Marshal(s.Action)
jw.Comma()
}
if len(s.Condition) != 0 {
jw.Field("Condition")
jw.Marshal(s.Condition)
jw.Comma()
}
jw.Field("Effect") jw.Field("Effect")
jw.Marshal(s.Effect) jw.Marshal(s.Effect)
@ -154,21 +167,13 @@ func (s *Statement) MarshalJSON() ([]byte, error) {
jw.Field("Principal") jw.Field("Principal")
jw.Marshal(s.Principal) jw.Marshal(s.Principal)
} }
if !s.Action.IsEmpty() {
jw.Comma()
jw.Field("Action")
jw.Marshal(s.Action)
}
if !s.Resource.IsEmpty() { if !s.Resource.IsEmpty() {
jw.Comma() jw.Comma()
jw.Field("Resource") jw.Field("Resource")
jw.Marshal(s.Resource) jw.Marshal(s.Resource)
} }
if len(s.Condition) != 0 {
jw.Comma()
jw.Field("Condition")
jw.Marshal(s.Condition)
}
jw.EndObject() jw.EndObject()
return b.Bytes(), jw.Error() return b.Bytes(), jw.Error()

8
pkg/model/iam/iam_builder_test.go
View File

@ -38,7 +38,7 @@ func TestRoundTrip(t *testing.T) {
Action: stringorslice.Of("ec2:DescribeRegions"), Action: stringorslice.Of("ec2:DescribeRegions"),
Resource: stringorslice.Of("*"), Resource: stringorslice.Of("*"),
}, },
JSON: "{\"Effect\":\"Allow\",\"Action\":\"ec2:DescribeRegions\",\"Resource\":\"*\"}", JSON: "{\"Action\":\"ec2:DescribeRegions\",\"Effect\":\"Allow\",\"Resource\":\"*\"}",
}, },
{ {
IAM: &Statement{ IAM: &Statement{
@ -46,7 +46,7 @@ func TestRoundTrip(t *testing.T) {
Action: stringorslice.Of("ec2:DescribeRegions", "ec2:DescribeInstances"), Action: stringorslice.Of("ec2:DescribeRegions", "ec2:DescribeInstances"),
Resource: stringorslice.Of("a", "b"), Resource: stringorslice.Of("a", "b"),
}, },
JSON: "{\"Effect\":\"Deny\",\"Action\":[\"ec2:DescribeRegions\",\"ec2:DescribeInstances\"],\"Resource\":[\"a\",\"b\"]}", JSON: "{\"Action\":[\"ec2:DescribeRegions\",\"ec2:DescribeInstances\"],\"Effect\":\"Deny\",\"Resource\":[\"a\",\"b\"]}",
}, },
{ {
IAM: &Statement{ IAM: &Statement{
@ -56,7 +56,7 @@ func TestRoundTrip(t *testing.T) {
"foo": 1, "foo": 1,
}, },
}, },
JSON: "{\"Effect\":\"Deny\",\"Principal\":{\"Federated\":\"federated\"},\"Condition\":{\"foo\":1}}", JSON: "{\"Condition\":{\"foo\":1},\"Effect\":\"Deny\",\"Principal\":{\"Federated\":\"federated\"}}",
}, },
{ {
IAM: &Statement{ IAM: &Statement{
@ -66,7 +66,7 @@ func TestRoundTrip(t *testing.T) {
"bar": "baz", "bar": "baz",
}, },
}, },
JSON: "{\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"service\"},\"Condition\":{\"bar\":\"baz\"}}", JSON: "{\"Condition\":{\"bar\":\"baz\"},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"service\"}}",
}, },
} }
for _, g := range grid { for _, g := range grid {

6
pkg/model/iam/tests/iam_builder_bastion.json
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

24
pkg/model/iam/tests/iam_builder_master_legacy.json
View File

@ -1,17 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:*" "ec2:*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeAutoScalingInstances",
@ -22,54 +20,55 @@
"autoscaling:UpdateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:*" "elasticloadbalancing:*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:*" "s3:*"
], ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetEncryptionConfiguration", "s3:GetEncryptionConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketVersions" "s3:ListBucketVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests" "arn:aws:s3:::kops-tests"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"kms:ListGrants", "kms:ListGrants",
"kms:RevokeGrant" "kms:RevokeGrant"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"key-id-1", "key-id-1",
"key-id-2", "key-id-2",
@ -77,7 +76,6 @@
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"kms:CreateGrant", "kms:CreateGrant",
"kms:Decrypt", "kms:Decrypt",
@ -86,6 +84,7 @@
"kms:GenerateDataKey*", "kms:GenerateDataKey*",
"kms:ReEncrypt*" "kms:ReEncrypt*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"key-id-1", "key-id-1",
"key-id-2", "key-id-2",
@ -93,16 +92,15 @@
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ecr:GetAuthorizationToken", "ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability", "ecr:BatchCheckLayerAvailability",
@ -112,9 +110,11 @@
"ecr:ListImages", "ecr:ListImages",
"ecr:BatchGetImage" "ecr:BatchGetImage"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
pkg/model/iam/tests/iam_builder_master_strict.json
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,41 +121,41 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:Get*" "s3:Get*"
], ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetEncryptionConfiguration", "s3:GetEncryptionConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketVersions" "s3:ListBucketVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests" "arn:aws:s3:::kops-tests"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"kms:CreateGrant", "kms:CreateGrant",
"kms:Decrypt", "kms:Decrypt",
@ -166,11 +164,13 @@
"kms:GenerateDataKey*", "kms:GenerateDataKey*",
"kms:ReEncrypt*" "kms:ReEncrypt*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"key-id-1", "key-id-1",
"key-id-2", "key-id-2",
"key-id-3" "key-id-3"
] ]
} }
] ],
"Version": "2012-10-17"
} }

44
pkg/model/iam/tests/iam_builder_master_strict_ecr.json
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,41 +121,41 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:Get*" "s3:Get*"
], ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetEncryptionConfiguration", "s3:GetEncryptionConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketVersions" "s3:ListBucketVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests" "arn:aws:s3:::kops-tests"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"kms:CreateGrant", "kms:CreateGrant",
"kms:Decrypt", "kms:Decrypt",
@ -166,6 +164,7 @@
"kms:GenerateDataKey*", "kms:GenerateDataKey*",
"kms:ReEncrypt*" "kms:ReEncrypt*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"key-id-1", "key-id-1",
"key-id-2", "key-id-2",
@ -173,7 +172,6 @@
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ecr:GetAuthorizationToken", "ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability", "ecr:BatchCheckLayerAvailability",
@ -183,9 +181,11 @@
"ecr:ListImages", "ecr:ListImages",
"ecr:BatchGetImage" "ecr:BatchGetImage"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

14
pkg/model/iam/tests/iam_builder_node_legacy.json
View File

@ -1,46 +1,44 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:*" "s3:*"
], ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*" "Resource": "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/*"
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetEncryptionConfiguration", "s3:GetEncryptionConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketVersions" "s3:ListBucketVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests" "arn:aws:s3:::kops-tests"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ecr:GetAuthorizationToken", "ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability", "ecr:BatchCheckLayerAvailability",
@ -50,9 +48,11 @@
"ecr:ListImages", "ecr:ListImages",
"ecr:BatchGetImage" "ecr:BatchGetImage"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

10
pkg/model/iam/tests/iam_builder_node_strict.json
View File

@ -1,21 +1,20 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:Get*" "s3:Get*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/addons/*", "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/addons/*",
"arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/cluster.spec", "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/cluster.spec",
@ -29,16 +28,17 @@
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetEncryptionConfiguration", "s3:GetEncryptionConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketVersions" "s3:ListBucketVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests" "arn:aws:s3:::kops-tests"
] ]
} }
] ],
"Version": "2012-10-17"
} }

12
pkg/model/iam/tests/iam_builder_node_strict_ecr.json
View File

@ -1,21 +1,20 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:Get*" "s3:Get*"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/addons/*", "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/addons/*",
"arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/cluster.spec", "arn:aws:s3:::kops-tests/iam-builder-test.k8s.local/cluster.spec",
@ -29,19 +28,18 @@
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetEncryptionConfiguration", "s3:GetEncryptionConfiguration",
"s3:ListBucket", "s3:ListBucket",
"s3:ListBucketVersions" "s3:ListBucketVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::kops-tests" "arn:aws:s3:::kops-tests"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ecr:GetAuthorizationToken", "ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability", "ecr:BatchCheckLayerAvailability",
@ -51,9 +49,11 @@
"ecr:ListImages", "ecr:ListImages",
"ecr:BatchGetImage" "ecr:BatchGetImage"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_bastions.bastionuserdata.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" "ec2:ResourceTag/KubernetesCluster": "bastionuserdata.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" "autoscaling:ResourceTag/KubernetesCluster": "bastionuserdata.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_nodes.bastionuserdata.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

8
tests/integration/update_cluster/complex/cloudformation.json
View File

@ -395,6 +395,9 @@
}, },
"ImageId": "ami-12345678", "ImageId": "ami-12345678",
"InstanceType": "t2.medium", "InstanceType": "t2.medium",
"Monitoring": {
"Enabled": true
},
"NetworkInterfaces": [ "NetworkInterfaces": [
{ {
"AssociatePublicIpAddress": true, "AssociatePublicIpAddress": true,
@ -850,6 +853,7 @@
"AWSEC2SecurityGroupapielbcomplexexamplecom": { "AWSEC2SecurityGroupapielbcomplexexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "api-elb.complex.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCcomplexexamplecom" "Ref": "AWSEC2VPCcomplexexamplecom"
}, },
@ -881,6 +885,7 @@
"AWSEC2SecurityGroupmasterscomplexexamplecom": { "AWSEC2SecurityGroupmasterscomplexexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.complex.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCcomplexexamplecom" "Ref": "AWSEC2VPCcomplexexamplecom"
}, },
@ -912,6 +917,7 @@
"AWSEC2SecurityGroupnodescomplexexamplecom": { "AWSEC2SecurityGroupnodescomplexexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.complex.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCcomplexexamplecom" "Ref": "AWSEC2VPCcomplexexamplecom"
}, },
@ -1231,6 +1237,7 @@
"AWSIAMInstanceProfilemasterscomplexexamplecom": { "AWSIAMInstanceProfilemasterscomplexexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.complex.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemasterscomplexexamplecom" "Ref": "AWSIAMRolemasterscomplexexamplecom"
@ -1241,6 +1248,7 @@
"AWSIAMInstanceProfilenodescomplexexamplecom": { "AWSIAMInstanceProfilenodescomplexexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.complex.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodescomplexexamplecom" "Ref": "AWSIAMRolenodescomplexexamplecom"

42
tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "complex.example.com" "ec2:ResourceTag/KubernetesCluster": "complex.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/complex/data/aws_iam_role_policy_nodes.complex.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

3
tests/integration/update_cluster/complex/kubernetes.tf
View File

@ -371,6 +371,9 @@ resource "aws_launch_template" "nodes-complex-example-com" {
lifecycle { lifecycle {
create_before_destroy = true create_before_destroy = true
} }
monitoring {
enabled = true
}
name_prefix = "nodes.complex.example.com-" name_prefix = "nodes.complex.example.com-"
network_interfaces { network_interfaces {
associate_public_ip_address = true associate_public_ip_address = true

4
tests/integration/update_cluster/containerd-cloudformation/cloudformation.json
View File

@ -611,6 +611,7 @@
"AWSEC2SecurityGroupmasterscontainerdexamplecom": { "AWSEC2SecurityGroupmasterscontainerdexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.containerd.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCcontainerdexamplecom" "Ref": "AWSEC2VPCcontainerdexamplecom"
}, },
@ -634,6 +635,7 @@
"AWSEC2SecurityGroupnodescontainerdexamplecom": { "AWSEC2SecurityGroupnodescontainerdexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.containerd.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCcontainerdexamplecom" "Ref": "AWSEC2VPCcontainerdexamplecom"
}, },
@ -806,6 +808,7 @@
"AWSIAMInstanceProfilemasterscontainerdexamplecom": { "AWSIAMInstanceProfilemasterscontainerdexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.containerd.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemasterscontainerdexamplecom" "Ref": "AWSIAMRolemasterscontainerdexamplecom"
@ -816,6 +819,7 @@
"AWSIAMInstanceProfilenodescontainerdexamplecom": { "AWSIAMInstanceProfilenodescontainerdexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.containerd.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodescontainerdexamplecom" "Ref": "AWSIAMRolenodescontainerdexamplecom"

2
tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json
View File

@ -607,6 +607,7 @@
"AWSEC2SecurityGroupmastersminimalexamplecom": { "AWSEC2SecurityGroupmastersminimalexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.minimal.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCminimalexamplecom" "Ref": "AWSEC2VPCminimalexamplecom"
}, },
@ -630,6 +631,7 @@
"AWSEC2SecurityGroupnodesminimalexamplecom": { "AWSEC2SecurityGroupnodesminimalexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.minimal.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCminimalexamplecom" "Ref": "AWSEC2VPCminimalexamplecom"
}, },

42
tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "existingsg.example.com" "ec2:ResourceTag/KubernetesCluster": "existingsg.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "existingsg.example.com" "autoscaling:ResourceTag/KubernetesCluster": "existingsg.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_nodes.existingsg.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

4
tests/integration/update_cluster/externallb/cloudformation.json
View File

@ -620,6 +620,7 @@
"AWSEC2SecurityGroupmastersexternallbexamplecom": { "AWSEC2SecurityGroupmastersexternallbexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.externallb.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCexternallbexamplecom" "Ref": "AWSEC2VPCexternallbexamplecom"
}, },
@ -643,6 +644,7 @@
"AWSEC2SecurityGroupnodesexternallbexamplecom": { "AWSEC2SecurityGroupnodesexternallbexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.externallb.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCexternallbexamplecom" "Ref": "AWSEC2VPCexternallbexamplecom"
}, },
@ -815,6 +817,7 @@
"AWSIAMInstanceProfilemastersexternallbexamplecom": { "AWSIAMInstanceProfilemastersexternallbexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.externallb.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersexternallbexamplecom" "Ref": "AWSIAMRolemastersexternallbexamplecom"
@ -825,6 +828,7 @@
"AWSIAMInstanceProfilenodesexternallbexamplecom": { "AWSIAMInstanceProfilenodesexternallbexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.externallb.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesexternallbexamplecom" "Ref": "AWSIAMRolenodesexternallbexamplecom"

42
tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "externallb.example.com" "ec2:ResourceTag/KubernetesCluster": "externallb.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/externallb/data/aws_iam_role_policy_nodes.externallb.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "externalpolicies.example.com" "ec2:ResourceTag/KubernetesCluster": "externalpolicies.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "externalpolicies.example.com" "autoscaling:ResourceTag/KubernetesCluster": "externalpolicies.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_nodes.externalpolicies.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

3
tests/integration/update_cluster/externalpolicies/kubernetes.tf
View File

@ -411,6 +411,9 @@ resource "aws_launch_template" "nodes-externalpolicies-example-com" {
lifecycle { lifecycle {
create_before_destroy = true create_before_destroy = true
} }
monitoring {
enabled = true
}
name_prefix = "nodes.externalpolicies.example.com-" name_prefix = "nodes.externalpolicies.example.com-"
network_interfaces { network_interfaces {
associate_public_ip_address = true associate_public_ip_address = true

42
tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "ha.example.com" "ec2:ResourceTag/KubernetesCluster": "ha.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "ha.example.com" "autoscaling:ResourceTag/KubernetesCluster": "ha.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/ha/data/aws_iam_role_policy_nodes.ha.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

4
tests/integration/update_cluster/launch_templates/cloudformation.json
View File

@ -630,6 +630,7 @@
"AWSEC2SecurityGroupmasterslaunchtemplatesexamplecom": { "AWSEC2SecurityGroupmasterslaunchtemplatesexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.launchtemplates.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPClaunchtemplatesexamplecom" "Ref": "AWSEC2VPClaunchtemplatesexamplecom"
}, },
@ -653,6 +654,7 @@
"AWSEC2SecurityGroupnodeslaunchtemplatesexamplecom": { "AWSEC2SecurityGroupnodeslaunchtemplatesexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.launchtemplates.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPClaunchtemplatesexamplecom" "Ref": "AWSEC2VPClaunchtemplatesexamplecom"
}, },
@ -1035,6 +1037,7 @@
"AWSIAMInstanceProfilemasterslaunchtemplatesexamplecom": { "AWSIAMInstanceProfilemasterslaunchtemplatesexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.launchtemplates.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemasterslaunchtemplatesexamplecom" "Ref": "AWSIAMRolemasterslaunchtemplatesexamplecom"
@ -1045,6 +1048,7 @@
"AWSIAMInstanceProfilenodeslaunchtemplatesexamplecom": { "AWSIAMInstanceProfilenodeslaunchtemplatesexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.launchtemplates.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodeslaunchtemplatesexamplecom" "Ref": "AWSIAMRolenodeslaunchtemplatesexamplecom"

42
tests/integration/update_cluster/launch_templates/data/aws_iam_role_policy_masters.launchtemplates.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "launchtemplates.example.com" "ec2:ResourceTag/KubernetesCluster": "launchtemplates.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "launchtemplates.example.com" "autoscaling:ResourceTag/KubernetesCluster": "launchtemplates.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/launch_templates/data/aws_iam_role_policy_nodes.launchtemplates.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

4
tests/integration/update_cluster/minimal-cloudformation/cloudformation.json
View File

@ -611,6 +611,7 @@
"AWSEC2SecurityGroupmastersminimalexamplecom": { "AWSEC2SecurityGroupmastersminimalexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.minimal.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCminimalexamplecom" "Ref": "AWSEC2VPCminimalexamplecom"
}, },
@ -634,6 +635,7 @@
"AWSEC2SecurityGroupnodesminimalexamplecom": { "AWSEC2SecurityGroupnodesminimalexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.minimal.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCminimalexamplecom" "Ref": "AWSEC2VPCminimalexamplecom"
}, },
@ -806,6 +808,7 @@
"AWSIAMInstanceProfilemastersminimalexamplecom": { "AWSIAMInstanceProfilemastersminimalexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.minimal.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersminimalexamplecom" "Ref": "AWSIAMRolemastersminimalexamplecom"
@ -816,6 +819,7 @@
"AWSIAMInstanceProfilenodesminimalexamplecom": { "AWSIAMInstanceProfilenodesminimalexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.minimal.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesminimalexamplecom" "Ref": "AWSIAMRolenodesminimalexamplecom"

42
tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "minimal-json.example.com" "ec2:ResourceTag/KubernetesCluster": "minimal-json.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "minimal-json.example.com" "autoscaling:ResourceTag/KubernetesCluster": "minimal-json.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_nodes.minimal-json.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "minimal.example.com" "ec2:ResourceTag/KubernetesCluster": "minimal.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/minimal/data/aws_iam_role_policy_nodes.minimal.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

4
tests/integration/update_cluster/mixed_instances/cloudformation.json
View File

@ -1004,6 +1004,7 @@
"AWSEC2SecurityGroupmastersmixedinstancesexamplecom": { "AWSEC2SecurityGroupmastersmixedinstancesexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.mixedinstances.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCmixedinstancesexamplecom" "Ref": "AWSEC2VPCmixedinstancesexamplecom"
}, },
@ -1027,6 +1028,7 @@
"AWSEC2SecurityGroupnodesmixedinstancesexamplecom": { "AWSEC2SecurityGroupnodesmixedinstancesexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.mixedinstances.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCmixedinstancesexamplecom" "Ref": "AWSEC2VPCmixedinstancesexamplecom"
}, },
@ -1409,6 +1411,7 @@
"AWSIAMInstanceProfilemastersmixedinstancesexamplecom": { "AWSIAMInstanceProfilemastersmixedinstancesexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.mixedinstances.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersmixedinstancesexamplecom" "Ref": "AWSIAMRolemastersmixedinstancesexamplecom"
@ -1419,6 +1422,7 @@
"AWSIAMInstanceProfilenodesmixedinstancesexamplecom": { "AWSIAMInstanceProfilenodesmixedinstancesexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.mixedinstances.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesmixedinstancesexamplecom" "Ref": "AWSIAMRolenodesmixedinstancesexamplecom"

42
tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

4
tests/integration/update_cluster/mixed_instances_spot/cloudformation.json
View File

@ -1005,6 +1005,7 @@
"AWSEC2SecurityGroupmastersmixedinstancesexamplecom": { "AWSEC2SecurityGroupmastersmixedinstancesexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.mixedinstances.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCmixedinstancesexamplecom" "Ref": "AWSEC2VPCmixedinstancesexamplecom"
}, },
@ -1028,6 +1029,7 @@
"AWSEC2SecurityGroupnodesmixedinstancesexamplecom": { "AWSEC2SecurityGroupnodesmixedinstancesexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.mixedinstances.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCmixedinstancesexamplecom" "Ref": "AWSEC2VPCmixedinstancesexamplecom"
}, },
@ -1410,6 +1412,7 @@
"AWSIAMInstanceProfilemastersmixedinstancesexamplecom": { "AWSIAMInstanceProfilemastersmixedinstancesexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.mixedinstances.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersmixedinstancesexamplecom" "Ref": "AWSIAMRolemastersmixedinstancesexamplecom"
@ -1420,6 +1423,7 @@
"AWSIAMInstanceProfilenodesmixedinstancesexamplecom": { "AWSIAMInstanceProfilenodesmixedinstancesexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.mixedinstances.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesmixedinstancesexamplecom" "Ref": "AWSIAMRolenodesmixedinstancesexamplecom"

42
tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_bastions.private-shared-subnet.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" "ec2:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" "autoscaling:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_nodes.private-shared-subnet.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

8
tests/integration/update_cluster/privatecalico/cloudformation.json
View File

@ -996,6 +996,7 @@
"AWSEC2SecurityGroupapielbprivatecalicoexamplecom": { "AWSEC2SecurityGroupapielbprivatecalicoexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "api-elb.privatecalico.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivatecalicoexamplecom" "Ref": "AWSEC2VPCprivatecalicoexamplecom"
}, },
@ -1019,6 +1020,7 @@
"AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom": { "AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion-elb.privatecalico.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivatecalicoexamplecom" "Ref": "AWSEC2VPCprivatecalicoexamplecom"
}, },
@ -1042,6 +1044,7 @@
"AWSEC2SecurityGroupbastionprivatecalicoexamplecom": { "AWSEC2SecurityGroupbastionprivatecalicoexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion.privatecalico.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivatecalicoexamplecom" "Ref": "AWSEC2VPCprivatecalicoexamplecom"
}, },
@ -1065,6 +1068,7 @@
"AWSEC2SecurityGroupmastersprivatecalicoexamplecom": { "AWSEC2SecurityGroupmastersprivatecalicoexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.privatecalico.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivatecalicoexamplecom" "Ref": "AWSEC2VPCprivatecalicoexamplecom"
}, },
@ -1088,6 +1092,7 @@
"AWSEC2SecurityGroupnodesprivatecalicoexamplecom": { "AWSEC2SecurityGroupnodesprivatecalicoexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.privatecalico.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivatecalicoexamplecom" "Ref": "AWSEC2VPCprivatecalicoexamplecom"
}, },
@ -1400,6 +1405,7 @@
"AWSIAMInstanceProfilebastionsprivatecalicoexamplecom": { "AWSIAMInstanceProfilebastionsprivatecalicoexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "bastions.privatecalico.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolebastionsprivatecalicoexamplecom" "Ref": "AWSIAMRolebastionsprivatecalicoexamplecom"
@ -1410,6 +1416,7 @@
"AWSIAMInstanceProfilemastersprivatecalicoexamplecom": { "AWSIAMInstanceProfilemastersprivatecalicoexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.privatecalico.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersprivatecalicoexamplecom" "Ref": "AWSIAMRolemastersprivatecalicoexamplecom"
@ -1420,6 +1427,7 @@
"AWSIAMInstanceProfilenodesprivatecalicoexamplecom": { "AWSIAMInstanceProfilenodesprivatecalicoexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.privatecalico.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesprivatecalicoexamplecom" "Ref": "AWSIAMRolenodesprivatecalicoexamplecom"

6
tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_bastions.privatecalico.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_bastions.privatecanal.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatecanal.example.com" "ec2:ResourceTag/KubernetesCluster": "privatecanal.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatecanal.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatecanal.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

8
tests/integration/update_cluster/privatecilium/cloudformation.json
View File

@ -982,6 +982,7 @@
"AWSEC2SecurityGroupapielbprivateciliumexamplecom": { "AWSEC2SecurityGroupapielbprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "api-elb.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1005,6 +1006,7 @@
"AWSEC2SecurityGroupbastionelbprivateciliumexamplecom": { "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion-elb.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1028,6 +1030,7 @@
"AWSEC2SecurityGroupbastionprivateciliumexamplecom": { "AWSEC2SecurityGroupbastionprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1051,6 +1054,7 @@
"AWSEC2SecurityGroupmastersprivateciliumexamplecom": { "AWSEC2SecurityGroupmastersprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1074,6 +1078,7 @@
"AWSEC2SecurityGroupnodesprivateciliumexamplecom": { "AWSEC2SecurityGroupnodesprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1386,6 +1391,7 @@
"AWSIAMInstanceProfilebastionsprivateciliumexamplecom": { "AWSIAMInstanceProfilebastionsprivateciliumexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "bastions.privatecilium.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolebastionsprivateciliumexamplecom" "Ref": "AWSIAMRolebastionsprivateciliumexamplecom"
@ -1396,6 +1402,7 @@
"AWSIAMInstanceProfilemastersprivateciliumexamplecom": { "AWSIAMInstanceProfilemastersprivateciliumexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.privatecilium.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersprivateciliumexamplecom" "Ref": "AWSIAMRolemastersprivateciliumexamplecom"
@ -1406,6 +1413,7 @@
"AWSIAMInstanceProfilenodesprivateciliumexamplecom": { "AWSIAMInstanceProfilenodesprivateciliumexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.privatecilium.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesprivateciliumexamplecom" "Ref": "AWSIAMRolenodesprivateciliumexamplecom"

6
tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_bastions.privatecilium.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

8
tests/integration/update_cluster/privatecilium2/cloudformation.json
View File

@ -982,6 +982,7 @@
"AWSEC2SecurityGroupapielbprivateciliumexamplecom": { "AWSEC2SecurityGroupapielbprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "api-elb.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1005,6 +1006,7 @@
"AWSEC2SecurityGroupbastionelbprivateciliumexamplecom": { "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion-elb.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1028,6 +1030,7 @@
"AWSEC2SecurityGroupbastionprivateciliumexamplecom": { "AWSEC2SecurityGroupbastionprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1051,6 +1054,7 @@
"AWSEC2SecurityGroupmastersprivateciliumexamplecom": { "AWSEC2SecurityGroupmastersprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1074,6 +1078,7 @@
"AWSEC2SecurityGroupnodesprivateciliumexamplecom": { "AWSEC2SecurityGroupnodesprivateciliumexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.privatecilium.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumexamplecom" "Ref": "AWSEC2VPCprivateciliumexamplecom"
}, },
@ -1386,6 +1391,7 @@
"AWSIAMInstanceProfilebastionsprivateciliumexamplecom": { "AWSIAMInstanceProfilebastionsprivateciliumexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "bastions.privatecilium.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolebastionsprivateciliumexamplecom" "Ref": "AWSIAMRolebastionsprivateciliumexamplecom"
@ -1396,6 +1402,7 @@
"AWSIAMInstanceProfilemastersprivateciliumexamplecom": { "AWSIAMInstanceProfilemastersprivateciliumexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.privatecilium.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersprivateciliumexamplecom" "Ref": "AWSIAMRolemastersprivateciliumexamplecom"
@ -1406,6 +1413,7 @@
"AWSIAMInstanceProfilenodesprivateciliumexamplecom": { "AWSIAMInstanceProfilenodesprivateciliumexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.privatecilium.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesprivateciliumexamplecom" "Ref": "AWSIAMRolenodesprivateciliumexamplecom"

6
tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_bastions.privatecilium.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

8
tests/integration/update_cluster/privateciliumadvanced/cloudformation.json
View File

@ -982,6 +982,7 @@
"AWSEC2SecurityGroupapielbprivateciliumadvancedexamplecom": { "AWSEC2SecurityGroupapielbprivateciliumadvancedexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "api-elb.privateciliumadvanced.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumadvancedexamplecom" "Ref": "AWSEC2VPCprivateciliumadvancedexamplecom"
}, },
@ -1005,6 +1006,7 @@
"AWSEC2SecurityGroupbastionelbprivateciliumadvancedexamplecom": { "AWSEC2SecurityGroupbastionelbprivateciliumadvancedexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion-elb.privateciliumadvanced.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumadvancedexamplecom" "Ref": "AWSEC2VPCprivateciliumadvancedexamplecom"
}, },
@ -1028,6 +1030,7 @@
"AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom": { "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "bastion.privateciliumadvanced.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumadvancedexamplecom" "Ref": "AWSEC2VPCprivateciliumadvancedexamplecom"
}, },
@ -1051,6 +1054,7 @@
"AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom": { "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "masters.privateciliumadvanced.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumadvancedexamplecom" "Ref": "AWSEC2VPCprivateciliumadvancedexamplecom"
}, },
@ -1074,6 +1078,7 @@
"AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom": { "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom": {
"Type": "AWS::EC2::SecurityGroup", "Type": "AWS::EC2::SecurityGroup",
"Properties": { "Properties": {
"GroupName": "nodes.privateciliumadvanced.example.com",
"VpcId": { "VpcId": {
"Ref": "AWSEC2VPCprivateciliumadvancedexamplecom" "Ref": "AWSEC2VPCprivateciliumadvancedexamplecom"
}, },
@ -1417,6 +1422,7 @@
"AWSIAMInstanceProfilebastionsprivateciliumadvancedexamplecom": { "AWSIAMInstanceProfilebastionsprivateciliumadvancedexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "bastions.privateciliumadvanced.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolebastionsprivateciliumadvancedexamplecom" "Ref": "AWSIAMRolebastionsprivateciliumadvancedexamplecom"
@ -1427,6 +1433,7 @@
"AWSIAMInstanceProfilemastersprivateciliumadvancedexamplecom": { "AWSIAMInstanceProfilemastersprivateciliumadvancedexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "masters.privateciliumadvanced.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolemastersprivateciliumadvancedexamplecom" "Ref": "AWSIAMRolemastersprivateciliumadvancedexamplecom"
@ -1437,6 +1444,7 @@
"AWSIAMInstanceProfilenodesprivateciliumadvancedexamplecom": { "AWSIAMInstanceProfilenodesprivateciliumadvancedexamplecom": {
"Type": "AWS::IAM::InstanceProfile", "Type": "AWS::IAM::InstanceProfile",
"Properties": { "Properties": {
"InstanceProfileName": "nodes.privateciliumadvanced.example.com",
"Roles": [ "Roles": [
{ {
"Ref": "AWSIAMRolenodesprivateciliumadvancedexamplecom" "Ref": "AWSIAMRolenodesprivateciliumadvancedexamplecom"

6
tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_bastions.privateciliumadvanced.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

44
tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,51 +121,51 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:AttachNetworkInterface", "ec2:AttachNetworkInterface",
@ -182,9 +180,11 @@
"ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeVpcs" "ec2:DescribeVpcs"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_nodes.privateciliumadvanced.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_bastions.privatedns1.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatedns1.example.com" "ec2:ResourceTag/KubernetesCluster": "privatedns1.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatedns1.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatedns1.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z2AFAKE1ZON3NO" "arn:aws:route53:::hostedzone/Z2AFAKE1ZON3NO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_nodes.privatedns1.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_bastions.privatedns2.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatedns2.example.com" "ec2:ResourceTag/KubernetesCluster": "privatedns2.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatedns2.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatedns2.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z3AFAKE1ZOMORE" "arn:aws:route53:::hostedzone/Z3AFAKE1ZOMORE"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_nodes.privatedns2.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_bastions.privateflannel.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privateflannel.example.com" "ec2:ResourceTag/KubernetesCluster": "privateflannel.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privateflannel.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privateflannel.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_nodes.privateflannel.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_bastions.privatekopeio.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privatekopeio.example.com" "ec2:ResourceTag/KubernetesCluster": "privatekopeio.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privatekopeio.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privatekopeio.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_nodes.privatekopeio.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_bastions.privateweave.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "privateweave.example.com" "ec2:ResourceTag/KubernetesCluster": "privateweave.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "privateweave.example.com" "autoscaling:ResourceTag/KubernetesCluster": "privateweave.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_nodes.privateweave.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

12
tests/integration/update_cluster/public-jwks/data/aws_iam_role_dns-controller.kube-system.sa.minimal.example.com_policy
View File

@ -1,17 +1,17 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/api.minimal.example.com"
},
"Action": "sts:AssumeRoleWithWebIdentity", "Action": "sts:AssumeRoleWithWebIdentity",
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"api.minimal.example.com:sub": "system:serviceaccount:kube-system:dns-controller" "api.minimal.example.com:sub": "system:serviceaccount:kube-system:dns-controller"
} }
},
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/api.minimal.example.com"
} }
} }
] ],
"Version": "2012-10-17"
} }

10
tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy
View File

@ -1,34 +1,34 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

36
tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "minimal.example.com" "ec2:ResourceTag/KubernetesCluster": "minimal.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,19 +121,21 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/public-jwks/data/aws_iam_role_policy_nodes.minimal.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" "ec2:ResourceTag/KubernetesCluster": "sharedsubnet.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" "autoscaling:ResourceTag/KubernetesCluster": "sharedsubnet.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_nodes.sharedsubnet.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "sharedvpc.example.com" "ec2:ResourceTag/KubernetesCluster": "sharedvpc.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "sharedvpc.example.com" "autoscaling:ResourceTag/KubernetesCluster": "sharedvpc.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_nodes.sharedvpc.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_bastions.unmanaged.example.com_policy
View File

@ -1,14 +1,14 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

42
tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy
View File

@ -1,8 +1,6 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
@ -13,12 +11,12 @@
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes" "ec2:DescribeVolumes"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
"ec2:CreateTags", "ec2:CreateTags",
@ -27,12 +25,12 @@
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume" "ec2:ModifyVolume"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:AttachVolume", "ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress",
@ -43,45 +41,45 @@
"ec2:DetachVolume", "ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress" "ec2:RevokeSecurityGroupIngress"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "unmanaged.example.com" "ec2:ResourceTag/KubernetesCluster": "unmanaged.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions" "ec2:DescribeLaunchTemplateVersions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"autoscaling:SetDesiredCapacity", "autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup" "autoscaling:UpdateAutoScalingGroup"
], ],
"Resource": [
"*"
],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
"autoscaling:ResourceTag/KubernetesCluster": "unmanaged.example.com" "autoscaling:ResourceTag/KubernetesCluster": "unmanaged.example.com"
} }
} },
"Effect": "Allow",
"Resource": [
"*"
]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AttachLoadBalancerToSubnets",
@ -100,12 +98,12 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeVpcs", "ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
@ -123,48 +121,50 @@
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:ListServerCertificates",
"iam:GetServerCertificate" "iam:GetServerCertificate"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets", "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets", "route53:ListResourceRecordSets",
"route53:GetHostedZone" "route53:GetHostedZone"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:GetChange" "route53:GetChange"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:route53:::change/*" "arn:aws:route53:::change/*"
] ]
}, },
{ {
"Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones" "route53:ListHostedZones"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

6
tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_nodes.unmanaged.example.com_policy
View File

@ -1,15 +1,15 @@
{ {
"Version": "2012-10-17",
"Statement": [ "Statement": [
{ {
"Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions" "ec2:DescribeRegions"
], ],
"Effect": "Allow",
"Resource": [ "Resource": [
"*" "*"
] ]
} }
] ],
"Version": "2012-10-17"
} }

5
upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go
View File

@ -191,7 +191,10 @@ func (e *AutoscalingGroup) Find(c *fi.Context) (*AutoscalingGroup, error) {
if len(g.Tags) != 0 { if len(g.Tags) != 0 {
actual.Tags = make(map[string]string) actual.Tags = make(map[string]string)
for _, tag := range g.Tags { for _, tag := range g.Tags {
actual.Tags[fi.StringValue(tag.Key)] = fi.StringValue(tag.Value) if strings.HasPrefix(aws.StringValue(tag.Key), "aws:cloudformation:") {
continue
}
actual.Tags[aws.StringValue(tag.Key)] = aws.StringValue(tag.Value)
} }
} }

3
upup/pkg/fi/cloudup/awstasks/classic_load_balancer.go
View File

@ -320,6 +320,9 @@ func (e *ClassicLoadBalancer) Find(c *fi.Context) (*ClassicLoadBalancer, error)
} }
actual.Tags = make(map[string]string) actual.Tags = make(map[string]string)
for _, tag := range tagMap[*e.LoadBalancerName] { for _, tag := range tagMap[*e.LoadBalancerName] {
if strings.HasPrefix(aws.StringValue(tag.Key), "aws:cloudformation:") {
continue
}
actual.Tags[aws.StringValue(tag.Key)] = aws.StringValue(tag.Value) actual.Tags[aws.StringValue(tag.Key)] = aws.StringValue(tag.Value)
} }

4
upup/pkg/fi/cloudup/awstasks/iaminstanceprofilerole.go
View File

@ -126,13 +126,13 @@ func (_ *IAMInstanceProfileRole) RenderTerraform(t *terraform.TerraformTarget, a
} }
type cloudformationIAMInstanceProfile struct { type cloudformationIAMInstanceProfile struct {
//Path *string `json:"name"` InstanceProfileName *string `json:"InstanceProfileName"`
Roles []*cloudformation.Literal `json:"Roles"` Roles []*cloudformation.Literal `json:"Roles"`
} }
func (_ *IAMInstanceProfileRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *IAMInstanceProfileRole) error { func (_ *IAMInstanceProfileRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *IAMInstanceProfileRole) error {
cf := &cloudformationIAMInstanceProfile{ cf := &cloudformationIAMInstanceProfile{
//Path: e.InstanceProfile.Name, InstanceProfileName: e.InstanceProfile.Name,
Roles: []*cloudformation.Literal{e.Role.CloudformationLink()}, Roles: []*cloudformation.Literal{e.Role.CloudformationLink()},
} }

17
upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go
View File

@ -17,10 +17,9 @@ limitations under the License.
package awstasks package awstasks
import ( import (
"encoding/json"
"fmt" "fmt"
"hash/fnv" "hash/fnv"
"encoding/json"
"net/url" "net/url"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
@ -115,7 +114,19 @@ func (e *IAMRolePolicy) Find(c *fi.Context) (*IAMRolePolicy, error) {
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing PolicyDocument for IAMRolePolicy %q: %v", aws.StringValue(e.Name), err) return nil, fmt.Errorf("error parsing PolicyDocument for IAMRolePolicy %q: %v", aws.StringValue(e.Name), err)
} }
actual.PolicyDocument = fi.WrapResource(fi.NewStringResource(policy))
// Reformat the PolicyDocument by unmarshaling and re-marshaling to JSON.
// This will make it possible to compare it when using CloudFormation.
var jsonData interface{}
err = json.Unmarshal([]byte(policy), &jsonData)
if err != nil {
return nil, fmt.Errorf("error parsing cloudformation policy document from JSON: %v", err)
}
jsonBytes, err := json.MarshalIndent(jsonData, "", " ")
if err != nil {
return nil, fmt.Errorf("error converting cloudformation policy document to JSON: %v", err)
}
actual.PolicyDocument = fi.WrapResource(fi.NewStringResource(string(jsonBytes)))
} }
actual.Name = p.PolicyName actual.Name = p.PolicyName

5
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_cloudformation.go
View File

@ -206,6 +206,11 @@ func (t *LaunchTemplate) RenderCloudformation(target *cloudformation.Cloudformat
if e.Tenancy != nil { if e.Tenancy != nil {
data.Placement = []*cloudformationLaunchTemplatePlacement{{Tenancy: e.Tenancy}} data.Placement = []*cloudformationLaunchTemplatePlacement{{Tenancy: e.Tenancy}}
} }
if e.InstanceMonitoring != nil {
data.Monitoring = &cloudformationLaunchTemplateMonitoring{
Enabled: e.InstanceMonitoring,
}
}
if e.IAMInstanceProfile != nil { if e.IAMInstanceProfile != nil {
data.IAMInstanceProfile = &cloudformationLaunchTemplateIAMProfile{ data.IAMInstanceProfile = &cloudformationLaunchTemplateIAMProfile{
Name: e.IAMInstanceProfile.CloudformationLink(), Name: e.IAMInstanceProfile.CloudformationLink(),

6
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_cloudformation_test.go
View File

@ -72,6 +72,9 @@ func TestLaunchTemplateCloudformationRender(t *testing.T) {
"MaxPrice": "10" "MaxPrice": "10"
} }
}, },
"Monitoring": {
"Enabled": true
},
"NetworkInterfaces": [ "NetworkInterfaces": [
{ {
"AssociatePublicIpAddress": true, "AssociatePublicIpAddress": true,
@ -155,6 +158,9 @@ func TestLaunchTemplateCloudformationRender(t *testing.T) {
}, },
"InstanceType": "t2.medium", "InstanceType": "t2.medium",
"KeyName": "mykey", "KeyName": "mykey",
"Monitoring": {
"Enabled": true
},
"NetworkInterfaces": [ "NetworkInterfaces": [
{ {
"AssociatePublicIpAddress": true, "AssociatePublicIpAddress": true,

5
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_terraform.go
View File

@ -205,6 +205,11 @@ func (t *LaunchTemplate) RenderTerraform(target *terraform.TerraformTarget, a, e
if e.Tenancy != nil { if e.Tenancy != nil {
tf.Placement = []*terraformLaunchTemplatePlacement{{Tenancy: e.Tenancy}} tf.Placement = []*terraformLaunchTemplatePlacement{{Tenancy: e.Tenancy}}
} }
if e.InstanceMonitoring != nil {
tf.Monitoring = []*terraformLaunchTemplateMonitoring{
{Enabled: e.InstanceMonitoring},
}
}
if e.IAMInstanceProfile != nil { if e.IAMInstanceProfile != nil {
tf.IAMInstanceProfile = []*terraformLaunchTemplateIAMProfile{ tf.IAMInstanceProfile = []*terraformLaunchTemplateIAMProfile{
{Name: e.IAMInstanceProfile.TerraformLink()}, {Name: e.IAMInstanceProfile.TerraformLink()},

6
upup/pkg/fi/cloudup/awstasks/launchtemplate_target_terraform_test.go
View File

@ -72,6 +72,9 @@ resource "aws_launch_template" "test" {
lifecycle { lifecycle {
create_before_destroy = true create_before_destroy = true
} }
monitoring {
enabled = true
}
name_prefix = "test-" name_prefix = "test-"
network_interfaces { network_interfaces {
associate_public_ip_address = true associate_public_ip_address = true
@ -148,6 +151,9 @@ resource "aws_launch_template" "test" {
lifecycle { lifecycle {
create_before_destroy = true create_before_destroy = true
} }
monitoring {
enabled = true
}
name_prefix = "test-" name_prefix = "test-"
network_interfaces { network_interfaces {
associate_public_ip_address = true associate_public_ip_address = true

3
upup/pkg/fi/cloudup/awstasks/network_load_balancer.go
View File

@ -324,6 +324,9 @@ func (e *NetworkLoadBalancer) Find(c *fi.Context) (*NetworkLoadBalancer, error)
} }
actual.Tags = make(map[string]string) actual.Tags = make(map[string]string)
for _, tag := range tagMap[*loadBalancerArn] { for _, tag := range tagMap[*loadBalancerArn] {
if strings.HasPrefix(aws.StringValue(tag.Key), "aws:cloudformation:") {
continue
}
actual.Tags[aws.StringValue(tag.Key)] = aws.StringValue(tag.Value) actual.Tags[aws.StringValue(tag.Key)] = aws.StringValue(tag.Value)
} }

4
upup/pkg/fi/cloudup/awstasks/securitygroup.go
View File

@ -222,7 +222,7 @@ func (e *SecurityGroup) TerraformLink() *terraform.Literal {
} }
type cloudformationSecurityGroup struct { type cloudformationSecurityGroup struct {
//Name *string `json:"name"` GroupName *string `json:"GroupName"`
VpcId *cloudformation.Literal `json:"VpcId"` VpcId *cloudformation.Literal `json:"VpcId"`
Description *string `json:"GroupDescription"` Description *string `json:"GroupDescription"`
Tags []cloudformationTag `json:"Tags,omitempty"` Tags []cloudformationTag `json:"Tags,omitempty"`
@ -236,7 +236,7 @@ func (_ *SecurityGroup) RenderCloudformation(t *cloudformation.CloudformationTar
} }
tf := &cloudformationSecurityGroup{ tf := &cloudformationSecurityGroup{
//Name: e.Name, GroupName: e.Name,
VpcId: e.VPC.CloudformationLink(), VpcId: e.VPC.CloudformationLink(),
Description: e.Description, Description: e.Description,
Tags: buildCloudformationTags(e.Tags), Tags: buildCloudformationTags(e.Tags),

Some files were not shown because too many files have changed in this diff Show More