adding prefix in policy name

platform9 · Aug 19, 2024 · b998db2 · b998db2
1 parent 306af01
commit b998db2
Showing 1 changed file with 76 additions and 8 deletions.
diff --git a/emp/emp_role_cftemplate.yaml b/emp/emp_role_cftemplate.yaml
@@ -3,14 +3,14 @@ Parameters:
   RoleName:
     Type: String
     Description: The name of the IAM role and instance profile.
-    Default: 'pf9-emp-role'
+    Default: 'pf9emp'
 
 Resources:
   # CAPA Policies
   AWSIAMManagedPolicyCloudProviderControlPlane:
     Properties:
       Description: For the Kubernetes Cloud Provider AWS Control Plane
-      ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io
+      ManagedPolicyName: !Sub "${RoleName}-control-plane.cluster-api-provider-aws.sigs.k8s.io"
       PolicyDocument:
         Statement:
         - Action:
@@ -74,11 +74,13 @@ Resources:
           Resource:
           - '*'
         Version: 2012-10-17
+      Roles:
+      - Ref: AWSIAMRoleControlPlane
     Type: AWS::IAM::ManagedPolicy
   AWSIAMManagedPolicyCloudProviderNodes:
     Properties:
       Description: For the Kubernetes Cloud Provider AWS nodes
-      ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io
+      ManagedPolicyName: !Sub "${RoleName}-nodes.cluster-api-provider-aws.sigs.k8s.io"
       PolicyDocument:
         Statement:
         - Action:
@@ -116,11 +118,14 @@ Resources:
           Resource:
           - '*'
         Version: 2012-10-17
+      Roles:
+      - Ref: AWSIAMRoleControlPlane
+      - Ref: AWSIAMRoleNodes
     Type: AWS::IAM::ManagedPolicy
   AWSIAMManagedPolicyControllers:
     Properties:
       Description: For the Kubernetes Cluster API Provider AWS Controllers
-      ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io
+      ManagedPolicyName: !Sub "${RoleName}-controllers.cluster-api-provider-aws.sigs.k8s.io"
       PolicyDocument:
         Statement:
         - Action:
@@ -277,11 +282,14 @@ Resources:
           Resource:
           - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
         Version: 2012-10-17
+      Roles:
+      - Ref: AWSIAMRoleControllers
+      - Ref: AWSIAMRoleControlPlane
     Type: AWS::IAM::ManagedPolicy
   AWSIAMManagedPolicyControllersEKS:
     Properties:
       Description: For the Kubernetes Cluster API Provider AWS Controllers
-      ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io
+      ManagedPolicyName: !Sub "${RoleName}-controllers-eks.cluster-api-provider-aws.sigs.k8s.io"
       PolicyDocument:
         Statement:
         - Action:
@@ -381,7 +389,67 @@ Resources:
           Resource:
           - '*'
         Version: 2012-10-17
+      Roles:
+      - Ref: AWSIAMRoleControllers
+      - Ref: AWSIAMRoleControlPlane
     Type: AWS::IAM::ManagedPolicy
+  AWSIAMRoleControlPlane:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - ec2.amazonaws.com
+        Version: 2012-10-17
+      RoleName: !Sub "${RoleName}-control-plane.cluster-api-provider-aws.sigs.k8s.io"
+    Type: AWS::IAM::Role
+  AWSIAMRoleControllers:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - ec2.amazonaws.com
+        Version: 2012-10-17
+      RoleName: !Sub "${RoleName}-controllers.cluster-api-provider-aws.sigs.k8s.io"
+    Type: AWS::IAM::Role
+  AWSIAMRoleEKSControlPlane:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - eks.amazonaws.com
+        Version: 2012-10-17
+      ManagedPolicyArns:
+      - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+      RoleName: !Sub "${RoleName}-eks-controlplane.cluster-api-provider-aws.sigs.k8s.io"
+    Type: AWS::IAM::Role
+  AWSIAMRoleNodes:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action:
+          - sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service:
+            - ec2.amazonaws.com
+        Version: 2012-10-17
+      ManagedPolicyArns:
+      - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
+      - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
+      RoleName: !Sub "${RoleName}-nodes.cluster-api-provider-aws.sigs.k8s.io"
+    Type: AWS::IAM::Role
 # PF9 Role and Policies
   EKSRole:
     Type: 'AWS::IAM::Role'
@@ -392,7 +460,7 @@ Resources:
         Statement:
           - Effect: 'Allow'
             Principal:
-              Service:
+              Service: 
                 - 'ec2.amazonaws.com'
               AWS:
                 - 'arn:aws:iam::617350239289:root'
@@ -410,7 +478,7 @@ Resources:
   PF9EMPPolicy:
     Properties:
       Description: EMP PF9 Policy
-      ManagedPolicyName: emp-policy
+      ManagedPolicyName: !Sub "${RoleName}-emp-policy"
       PolicyDocument:
         Statement:
         - Action:
@@ -450,7 +518,7 @@ Resources:
           Effect: Allow
         - Action:
           - 'iam:PassRole'
-          Resource:
+          Resource: 
           - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${EKSRole}'
           Effect: Allow
         - Action: