Add AttachPolicy to NodeGroupIAM configuration (#4331)

* Add AttachPolicy to NodeGroupIAM configuration

* Add NodeGroup AttachPolicy tests

* fix

* Add nodegroup IAM attachPolicy field to userdocs

* Add assertion for attachPolicy policy document

* Compare JSON encoded policy due to interface differences

Author: adammw

pkg/apis/eksctl.io/v1alpha5/assets/schema.json

@@ -1519,11 +1519,18 @@
     },
     "NodeGroupIAM": {
       "properties": {
+        "attachPolicy": {
+          "$ref": "#/definitions/InlineDocument",
+          "description": "holds a policy document to attach",
+          "x-intellij-html-description": "holds a policy document to attach"
+        },
         "attachPolicyARNs": {
           "items": {
             "type": "string"
           },
-          "type": "array"
+          "type": "array",
+          "description": "list of ARNs of the IAM policies to attach",
+          "x-intellij-html-description": "list of ARNs of the IAM policies to attach"
         },
         "instanceProfileARN": {
           "type": "string"
@@ -1542,6 +1549,7 @@
         }
       },
       "preferredOrder": [
+        "attachPolicy",
         "attachPolicyARNs",
         "instanceProfileARN",
         "instanceRoleARN",

pkg/apis/eksctl.io/v1alpha5/types.go

@@ -1116,6 +1116,10 @@ type (
 	}
 	// NodeGroupIAM holds all IAM attributes of a NodeGroup
 	NodeGroupIAM struct {
+		// AttachPolicy holds a policy document to attach
+		// +optional
+		AttachPolicy InlineDocument `json:"attachPolicy,omitempty"`
+		// list of ARNs of the IAM policies to attach
 		// +optional
 		AttachPolicyARNs []string `json:"attachPolicyARNs,omitempty"`
 		// +optional

pkg/apis/eksctl.io/v1alpha5/validation.go

@@ -601,6 +601,9 @@ func validateNodeGroupIAM(iam *NodeGroupIAM, value, fieldName, path string) erro
 		if iam.InstanceRoleName != "" {
 			return fmtFieldConflictErr("instanceRoleName")
 		}
+		if iam.AttachPolicy != nil {
+			return fmtFieldConflictErr("attachPolicy")
+		}
 		if len(iam.AttachPolicyARNs) != 0 {
 			return fmtFieldConflictErr("attachPolicyARNs")
 		}

pkg/apis/eksctl.io/v1alpha5/validation_test.go

@@ -9,6 +9,7 @@ import (
 	. "github.com/onsi/gomega"
 
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	cft "github.com/weaveworks/eksctl/pkg/cfn/template"
 	"github.com/weaveworks/eksctl/pkg/utils/strings"
 )
 
@@ -228,6 +229,15 @@ var _ = Describe("ClusterConfig validation", func() {
 			ng0 := cfg.NewNodeGroup()
 			ng0.Name = "ng0"
 
+			ng0.IAM.AttachPolicy = cft.MakePolicyDocument(
+				cft.MapOfInterfaces{
+					"Effect": "Allow",
+					"Action": []string{
+						"s3:Get*",
+					},
+					"Resource": "*",
+				},
+			)
 			ng0.IAM.AttachPolicyARNs = []string{
 				"arn:aws:iam::aws:policy/Foo",
 				"arn:aws:iam::aws:policy/Bar",
@@ -308,6 +318,23 @@ var _ = Describe("ClusterConfig validation", func() {
 			Expect(err.Error()).To(Equal("nodeGroups[1].iam.instanceRoleARN and nodeGroups[1].iam.instanceRoleName cannot be set at the same time"))
 		})
 
+		It("should not allow setting instanceRoleARN and attachPolicy", func() {
+			ng1.IAM.InstanceRoleARN = "r1"
+			ng1.IAM.AttachPolicy = cft.MakePolicyDocument(
+				cft.MapOfInterfaces{
+					"Effect": "Allow",
+					"Action": []string{
+						"s3:Get*",
+					},
+					"Resource": "*",
+				},
+			)
+
+			err = api.ValidateNodeGroup(1, ng1)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(Equal("nodeGroups[1].iam.instanceRoleARN and nodeGroups[1].iam.attachPolicy cannot be set at the same time"))
+		})
+
 		It("should not allow setting instanceRoleARN and attachPolicyARNs", func() {
 			ng1.IAM.InstanceRoleARN = "r1"
 			ng1.IAM.AttachPolicyARNs = []string{

pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go

@@ -38,6 +38,7 @@ type Properties struct {
 	AssumeRolePolicyDocument interface{}
 
 	PolicyDocument struct {
+		Version   string
 		Statement []struct {
 			Action    []string
 			Effect    string

pkg/cfn/builder/fakes/fake_cfn_template.go

@@ -49,6 +49,14 @@ func (c *resourceSet) attachAllowPolicy(name string, refRole *gfnt.Value, statem
 	})
 }
 
+func (c *resourceSet) attachAllowPolicyDocument(name string, refRole *gfnt.Value, document api.InlineDocument) {
+	c.newResource(name, &gfniam.Policy{
+		PolicyName:     makeName(name),
+		Roles:          gfnt.NewSlice(refRole),
+		PolicyDocument: document,
+	})
+}
+
 // WithIAM states, if IAM roles will be created or not
 func (c *ClusterResourceSet) WithIAM() bool {
 	return c.rs.withIAM

pkg/cfn/builder/iam.go

@@ -15,6 +15,7 @@ import (
 
 type cfnTemplate interface {
 	attachAllowPolicy(name string, refRole *gfnt.Value, statements []cft.MapOfInterfaces)
+	attachAllowPolicyDocument(name string, refRole *gfnt.Value, document api.InlineDocument)
 	newResource(name string, resource gfn.Resource) *gfnt.Value
 }
 
@@ -97,6 +98,10 @@ func createRole(cfnTemplate cfnTemplate, clusterIAMConfig *api.ClusterIAM, iamCo
 
 	refIR := cfnTemplate.newResource(cfnIAMInstanceRoleName, &role)
 
+	if iamConfig.AttachPolicy != nil {
+		cfnTemplate.attachAllowPolicyDocument("Policy1", refIR, iamConfig.AttachPolicy)
+	}
+
 	if api.IsEnabled(iamConfig.WithAddonPolicies.AutoScaler) {
 		cfnTemplate.attachAllowPolicy("PolicyAutoScaling", refIR, autoScalerStatements())
 	}

pkg/cfn/builder/iam_helper.go

@@ -1,11 +1,13 @@
 package builder
 
 import (
+	"encoding/json"
 	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	cft "github.com/weaveworks/eksctl/pkg/cfn/template"
 	"github.com/weaveworks/eksctl/pkg/nodebootstrap"
 	"github.com/weaveworks/eksctl/pkg/nodebootstrap/fakes"
 	"github.com/weaveworks/eksctl/pkg/testutils/mockprovider"
@@ -18,7 +20,9 @@ import (
 func TestManagedPolicyResources(t *testing.T) {
 	iamRoleTests := []struct {
 		addons                  api.NodeGroupIAMAddonPolicies
+		attachPolicy            api.InlineDocument
 		attachPolicyARNs        []string
+		expectedNewPolicies     []string
 		expectedManagedPolicies []*gfnt.Value
 		description             string
 	}{
@@ -42,16 +46,36 @@ func TestManagedPolicyResources(t *testing.T) {
 				"AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore", "CloudWatchAgentServerPolicy"),
 			description: "CloudWatch enabled",
 		},
+		{
+			addons: api.NodeGroupIAMAddonPolicies{
+				AutoScaler: api.Enabled(),
+			},
+			expectedNewPolicies:     []string{"PolicyAutoScaling"},
+			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore"),
+			description:             "AutoScaler enabled",
+		},
+		{
+			attachPolicy: cft.MakePolicyDocument(cft.MapOfInterfaces{
+				"Effect": "Allow",
+				"Action": []string{
+					"s3:Get*",
+				},
+				"Resource": "*",
+			}),
+			expectedNewPolicies:     []string{"Policy1"},
+			expectedManagedPolicies: makePartitionedPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy", "AmazonEC2ContainerRegistryReadOnly", "AmazonSSMManagedInstanceCore"),
+			description:             "Custom inline policies",
+		},
 		{
 			attachPolicyARNs:        []string{"AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy"},
 			expectedManagedPolicies: subs(prefixPolicies("AmazonEKSWorkerNodePolicy", "AmazonEKS_CNI_Policy")),
-			description:             "Custom policies",
+			description:             "Custom managed policies",
 		},
 		// should not attach any additional policies
 		{
 			attachPolicyARNs:        []string{"CloudWatchAgentServerPolicy"},
 			expectedManagedPolicies: subs(prefixPolicies("CloudWatchAgentServerPolicy")),
-			description:             "Custom policies",
+			description:             "Custom managed policies",
 		},
 		// no duplicate values
 		{
@@ -81,6 +105,7 @@ func TestManagedPolicyResources(t *testing.T) {
 			ng := api.NewManagedNodeGroup()
 			api.SetManagedNodeGroupDefaults(ng, clusterConfig.Metadata)
 			ng.IAM.WithAddonPolicies = tt.addons
+			ng.IAM.AttachPolicy = tt.attachPolicy
 			ng.IAM.AttachPolicyARNs = prefixPolicies(tt.attachPolicyARNs...)
 
 			p := mockprovider.NewMockProvider()
@@ -99,11 +124,29 @@ func TestManagedPolicyResources(t *testing.T) {
 			template, err := goformation.ParseJSON(bytes)
 			require.NoError(err)
 
-			role, ok := template.GetAllIAMRoleResources()["NodeInstanceRole"]
-			require.True(ok)
+			role, err := template.GetIAMRoleWithName(cfnIAMInstanceRoleName)
+			require.NoError(err)
 
 			require.ElementsMatch(tt.expectedManagedPolicies, role.ManagedPolicyArns.Raw().(gfnt.Slice))
 
+			policyNames := make([]string, 0)
+			for name := range template.GetAllIAMPolicyResources() {
+				policyNames = append(policyNames, name)
+			}
+			require.ElementsMatch(tt.expectedNewPolicies, policyNames)
+
+			// assert custom inline policy matches
+			if tt.attachPolicy != nil {
+				policy, err := template.GetIAMPolicyWithName("Policy1")
+				require.NoError(err)
+
+				// convert to json for comparison since interfaces are not identical
+				expectedPolicy, err := json.Marshal(tt.attachPolicy)
+				require.NoError(err)
+				actualPolicy, err := json.Marshal(policy.PolicyDocument)
+				require.NoError(err)
+				require.Equal(string(expectedPolicy), string(actualPolicy))
+			}
 		})
 	}
 
@@ -167,7 +210,7 @@ func TestManagedNodeRole(t *testing.T) {
 
 			template, err := goformation.ParseJSON(bytes)
 			require.NoError(err)
-			ngResource, ok := template.Resources["ManagedNodeGroup"]
+			ngResource, ok := template.Resources[ManagedNodeGroupResourceName]
 			require.True(ok)
 			ng, ok := ngResource.(*gfneks.Nodegroup)
 			require.True(ok)

pkg/cfn/builder/managed_nodegroup_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/weaveworks/eksctl/pkg/cfn/builder"
 	"github.com/weaveworks/eksctl/pkg/cfn/builder/fakes"
 	"github.com/weaveworks/eksctl/pkg/cfn/outputs"
+	cft "github.com/weaveworks/eksctl/pkg/cfn/template"
 	"github.com/weaveworks/eksctl/pkg/eks/mocks"
 	bootstrapfakes "github.com/weaveworks/eksctl/pkg/nodebootstrap/fakes"
 	vpcfakes "github.com/weaveworks/eksctl/pkg/vpc/fakes"
@@ -225,6 +226,28 @@ var _ = Describe("Unmanaged NodeGroup Template Builder", func() {
 			})
 
 			// TODO move into IAM tests?
+			Context("attach policy is set", func() {
+				PolicyDocument := cft.MakePolicyDocument(cft.MapOfInterfaces{
+					"Effect": "Allow",
+					"Action": []string{
+						"s3:Get*",
+					},
+					"Resource": "*",
+				})
+
+				BeforeEach(func() {
+					ng.IAM.AttachPolicy = PolicyDocument
+				})
+
+				It("adds a custom policy to the role", func() {
+					Expect(ngTemplate.Resources).To(HaveKey("Policy1"))
+					Expect(ngTemplate.Resources["Policy1"].Properties.PolicyDocument.Statement).To(HaveLen(1))
+					Expect(ngTemplate.Resources["Policy1"].Properties.PolicyDocument.Statement[0].Action).To(Equal([]string{"s3:Get*"}))
+					Expect(ngTemplate.Resources["Policy1"].Properties.Roles).To(HaveLen(1))
+					Expect(isRefTo(ngTemplate.Resources["Policy1"].Properties.Roles[0], "NodeInstanceRole")).To(BeTrue())
+				})
+			})
+
 			Context("attach policy arns are set", func() {
 				BeforeEach(func() {
 					ng.IAM.AttachPolicyARNs = []string{"arn:aws:iam::1234567890:role/foo"}