Add tagging support to AWS Instance Profiles and OIDC Providers

2021-02-15 15:55:23 -06:00 · 2021-02-15 15:55:23 -06:00 · d52fd9f76c
parent 6e6e072d93
commit d52fd9f76c
8 changed files with 90 additions and 9 deletions
--- a/cloudmock/aws/mockiam/iaminstanceprofile.go
+++ b/cloudmock/aws/mockiam/iaminstanceprofile.go
@ -57,6 +57,7 @@ func (m *MockIAM) CreateInstanceProfile(request *iam.CreateInstanceProfileInput)
 		// Arn:                 request.Arn,
 		// InstanceProfileId:   request.InstanceProfileId,
 		Path: request.Path,
 		Tags: request.Tags,
 		// Roles:               request.Roles,
 	}
--- a/cloudmock/aws/mockiam/oidcprovider.go
+++ b/cloudmock/aws/mockiam/oidcprovider.go
@ -63,6 +63,7 @@ func (m *MockIAM) GetOpenIDConnectProviderWithContext(ctx aws.Context, request *
 	response := &iam.GetOpenIDConnectProviderOutput{
 		ClientIDList:   provider.ClientIDList,
 		CreateDate:     provider.CreateDate,
 		Tags:           provider.Tags,
 		ThumbprintList: provider.ThumbprintList,
 		Url:            provider.Url,
 	}
@ -87,6 +88,7 @@ func (m *MockIAM) CreateOpenIDConnectProvider(request *iam.CreateOpenIDConnectPr
 	p := &iam.GetOpenIDConnectProviderOutput{
 		ClientIDList:   request.ClientIDList,
 		Tags:           request.Tags,
 		ThumbprintList: request.ThumbprintList,
 		Url:            request.Url,
 	}
--- a/pkg/model/awsmodel/oidc_provider.go
+++ b/pkg/model/awsmodel/oidc_provider.go
@ -69,6 +69,7 @@ func (b *OIDCProviderBuilder) Build(c *fi.ModelBuilderContext) error {
 		Lifecycle:   b.Lifecycle,
 		URL:         fi.String(issuerURL),
 		ClientIDs:   []*string{fi.String(defaultAudience)},
 		Tags:        b.CloudTags(b.ClusterName(), false),
 		Thumbprints: thumbprints,
 	})
--- a/pkg/model/iam.go
+++ b/pkg/model/iam.go
@ -230,6 +230,7 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
 				Name:      s(iamName),
 				Lifecycle: b.Lifecycle,
 				Shared:    fi.Bool(shared),
 				Tags:      b.CloudTags(iamName, false),
 			}
 			c.AddTask(iamInstanceProfile)
 		}
--- a/pkg/resources/aws/aws.go
+++ b/pkg/resources/aws/aws.go
@ -307,6 +307,24 @@ func matchesElbV2Tags(tags map[string]string, actual []*elbv2.Tag) bool {
 	return true
 }
 func matchesIAMTags(tags map[string]string, actual []*iam.Tag) bool {
 	for k, v := range tags {
 		found := false
 		for _, a := range actual {
 			if aws.StringValue(a.Key) == k {
 				if aws.StringValue(a.Value) == v {
 					found = true
 					break
 				}
 			}
 		}
 		if !found {
 			return false
 		}
 	}
 	return true
 }
 //type DeletableResource interface {
 //	Delete(cloud fi.Cloud) error
 //}
@ -2097,6 +2115,7 @@ func ListIAMInstanceProfiles(cloud fi.Cloud, clusterName string) ([]*resources.R
 func ListIAMOIDCProviders(cloud fi.Cloud, clusterName string) ([]*resources.Resource, error) {
 	c := cloud.(awsup.AWSCloud)
 	tags := c.Tags()
 	var providers []*string
 	{
@ -2110,18 +2129,14 @@ func ListIAMOIDCProviders(cloud fi.Cloud, clusterName string) ([]*resources.Reso
 			descReq := &iam.GetOpenIDConnectProviderInput{
 				OpenIDConnectProviderArn: arn,
 			}
-			_, err := c.IAM().GetOpenIDConnectProvider(descReq)
+			resp, err := c.IAM().GetOpenIDConnectProvider(descReq)
 			if err != nil {
 				return nil, fmt.Errorf("error getting IAM OIDC Provider: %v", err)
 			}
-			// TODO: only delete oidc providers if they're owned by the cluster.
+			if !matchesIAMTags(tags, resp.Tags) {
-			// We need to figure out how we can determine that given only a cluster name.
+				continue
-			// Providers dont support tagging or naming.
+			}
-
+			providers = append(providers, arn)
 			// providers = append(providers, arn)
 		}
 		if err != nil {
 			return nil, fmt.Errorf("error listing IAM roles: %v", err)
 		}
 	}
--- a/upup/pkg/fi/cloudup/awstasks/iaminstanceprofile.go
+++ b/upup/pkg/fi/cloudup/awstasks/iaminstanceprofile.go
@ -35,6 +35,8 @@ type IAMInstanceProfile struct {
 	Name      *string
 	Lifecycle *fi.Lifecycle
 	Tags map[string]string
 	ID     *string
 	Shared *bool
 }
@ -79,6 +81,7 @@ func (e *IAMInstanceProfile) Find(c *fi.Context) (*IAMInstanceProfile, error) {
 	actual := &IAMInstanceProfile{
 		ID:   p.InstanceProfileId,
 		Name: p.InstanceProfileName,
 		Tags: mapIAMTagsToMap(p.Tags),
 	}
 	e.ID = actual.ID
@ -114,6 +117,7 @@ func (_ *IAMInstanceProfile) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAM
 		request := &iam.CreateInstanceProfileInput{
 			InstanceProfileName: e.Name,
 			Tags:                mapToIAMTags(e.Tags),
 		}
 		response, err := t.Cloud.IAM().CreateInstanceProfile(request)
@ -123,6 +127,33 @@ func (_ *IAMInstanceProfile) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAM
 		e.ID = response.InstanceProfile.InstanceProfileId
 		e.Name = response.InstanceProfile.InstanceProfileName
 	} else {
 		if changes.Tags != nil {
 			if len(a.Tags) > 0 {
 				existingTagKeys := make([]*string, 0)
 				for k := range a.Tags {
 					existingTagKeys = append(existingTagKeys, &k)
 				}
 				untagRequest := &iam.UntagInstanceProfileInput{
 					InstanceProfileName: a.Name,
 					TagKeys:             existingTagKeys,
 				}
 				_, err := t.Cloud.IAM().UntagInstanceProfile(untagRequest)
 				if err != nil {
 					return fmt.Errorf("error untagging IAMInstanceProfile: %v", err)
 				}
 			}
 			if len(e.Tags) > 0 {
 				tagRequest := &iam.TagInstanceProfileInput{
 					InstanceProfileName: a.Name,
 					Tags:                mapToIAMTags(e.Tags),
 				}
 				_, err := t.Cloud.IAM().TagInstanceProfile(tagRequest)
 				if err != nil {
 					return fmt.Errorf("error tagging IAMInstanceProfile: %v", err)
 				}
 			}
 		}
 	}
 	// TODO: Should we use path as our tag?
--- a/upup/pkg/fi/cloudup/awstasks/iaminstanceprofilerole.go
+++ b/upup/pkg/fi/cloudup/awstasks/iaminstanceprofilerole.go
@ -114,6 +114,7 @@ func (_ *IAMInstanceProfileRole) RenderAWS(t *awsup.AWSAPITarget, a, e, changes
 type terraformIAMInstanceProfile struct {
 	Name *string            `json:"name" cty:"name"`
 	Role *terraform.Literal `json:"role" cty:"role"`
 	// TODO(rifelpet): add tags field when terraform supports it
 }
 func (_ *IAMInstanceProfileRole) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *IAMInstanceProfileRole) error {
--- a/upup/pkg/fi/cloudup/awstasks/iamoidcprovider.go
+++ b/upup/pkg/fi/cloudup/awstasks/iamoidcprovider.go
@ -39,6 +39,7 @@ type IAMOIDCProvider struct {
 	URL         *string
 	Name *string
 	Tags map[string]string
 	arn *string
 }
@ -83,6 +84,7 @@ func (e *IAMOIDCProvider) Find(c *fi.Context) (*IAMOIDCProvider, error) {
 				ClientIDs:   descResp.ClientIDList,
 				Thumbprints: actualThumbprints,
 				URL:         &actualURL,
 				Tags:        mapIAMTagsToMap(descResp.Tags),
 				arn:         arn,
 			}
@ -135,6 +137,7 @@ func (p *IAMOIDCProvider) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMOID
 			ClientIDList:   e.ClientIDs,
 			ThumbprintList: aws.StringSlice(thumbprints),
 			Url:            e.URL,
 			Tags:           mapToIAMTags(e.Tags),
 		}
 		response, err := t.Cloud.IAM().CreateOpenIDConnectProvider(request)
@ -156,6 +159,32 @@ func (p *IAMOIDCProvider) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMOID
 				return fmt.Errorf("error updating IAMOIDCProvider Thumbprints: %v", err)
 			}
 		}
 		if changes.Tags != nil {
 			if len(a.Tags) > 0 {
 				existingTagKeys := make([]*string, 0)
 				for k := range a.Tags {
 					existingTagKeys = append(existingTagKeys, &k)
 				}
 				untagRequest := &iam.UntagOpenIDConnectProviderInput{
 					OpenIDConnectProviderArn: a.arn,
 					TagKeys:                  existingTagKeys,
 				}
 				_, err = t.Cloud.IAM().UntagOpenIDConnectProvider(untagRequest)
 				if err != nil {
 					return fmt.Errorf("error untagging IAMOIDCProvider: %v", err)
 				}
 			}
 			if len(e.Tags) > 0 {
 				tagRequest := &iam.TagOpenIDConnectProviderInput{
 					OpenIDConnectProviderArn: a.arn,
 					Tags:                     mapToIAMTags(e.Tags),
 				}
 				_, err = t.Cloud.IAM().TagOpenIDConnectProvider(tagRequest)
 				if err != nil {
 					return fmt.Errorf("error tagging IAMOIDCProvider: %v", err)
 				}
 			}
 		}
 	}
 	return nil
 }