Skip to content
This repository was archived by the owner on Sep 30, 2020. It is now read-only.

Commit 5c7bab2

Browse files
davidmccormickdavidmccormick
authored
Cherry pick strict IAM Role name checking from master branch - missing from this branch (#1677)
1 parent 9f21fb8 commit 5c7bab2

File tree

4 files changed

+45
-18
lines changed

4 files changed

+45
-18
lines changed

cfnresource/naming.go

+24-10
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,36 @@ import (
44
"fmt"
55
)
66

7-
func ValidateUnstableRoleNameLength(clusterName string, nestedStackLogicalName string, managedIAMRoleName string, region string) error {
8-
name := fmt.Sprintf("%s-%s-PRK1CVQNY7XZ-%s-%s", clusterName, nestedStackLogicalName, region, managedIAMRoleName)
9-
if len(name) > 64 {
10-
limit := 64 - len(name) + len(clusterName) + len(nestedStackLogicalName) + len(managedIAMRoleName)
11-
return fmt.Errorf("IAM role name(=%s) will be %d characters long. It exceeds the AWS limit of 64 characters: cluster name(=%s) + nested stack name(=%s) + managed iam role name(=%s) should be less than or equal to %d", name, len(name), clusterName, nestedStackLogicalName, managedIAMRoleName, limit)
7+
func ValidateUnstableRoleNameLength(clusterName string, nestedStackLogicalName string, managedIAMRoleName string, region string, strict bool) error {
8+
if strict {
9+
name := managedIAMRoleName
10+
if len(name) > 64 {
11+
return fmt.Errorf("IAM role name(=%s) will be %d characters long. It exceeds the AWS limit of 64 characters", name, len(name))
12+
}
13+
} else {
14+
name := fmt.Sprintf("%s-%s-PRK1CVQNY7XZ-%s-%s", clusterName, nestedStackLogicalName, region, managedIAMRoleName)
15+
if len(name) > 64 {
16+
limit := 64 - len(name) + len(clusterName) + len(nestedStackLogicalName) + len(managedIAMRoleName)
17+
return fmt.Errorf("IAM role name(=%s) will be %d characters long. It exceeds the AWS limit of 64 characters: cluster name(=%s) + nested stack name(=%s) + managed iam role name(=%s) should be less than or equal to %d", name, len(name), clusterName, nestedStackLogicalName, managedIAMRoleName, limit)
18+
}
1219
}
1320
return nil
1421
}
1522

16-
func ValidateStableRoleNameLength(clusterName string, managedIAMRoleName string, region string) error {
23+
func ValidateStableRoleNameLength(clusterName string, managedIAMRoleName string, region string, strict bool) error {
1724
// include cluster name in the managed role
1825
// enables multiple clusters in the same account and region to have mirrored configuration without clashes
19-
name := fmt.Sprintf("%s-%s-%s", clusterName, region, managedIAMRoleName)
20-
if len(name) > 64 {
21-
limit := 64 - len(name) + len(managedIAMRoleName)
22-
return fmt.Errorf("IAM role name(=%s) will be %d characters long. It exceeds the AWS limit of 64 characters: clusterName(=%s) + region name(=%s) + managed iam role name(=%s) should be less than or equal to %d", name, len(name), clusterName, region, managedIAMRoleName, limit)
26+
if strict {
27+
name := managedIAMRoleName
28+
if len(name) > 64 {
29+
return fmt.Errorf("IAM role name(=%s) will be %d characters long. It exceeds the AWS limit of 64 characters", name, len(name))
30+
}
31+
} else {
32+
name := fmt.Sprintf("%s-%s-%s", clusterName, region, managedIAMRoleName)
33+
if len(name) > 64 {
34+
limit := 64 - len(name) + len(managedIAMRoleName)
35+
return fmt.Errorf("IAM role name(=%s) will be %d characters long. It exceeds the AWS limit of 64 characters: clusterName(=%s) + region name(=%s) + managed iam role name(=%s) should be less than or equal to %d", name, len(name), clusterName, region, managedIAMRoleName, limit)
36+
}
2337
}
2438
return nil
2539
}

cfnresource/naming_test.go

+17-4
Original file line numberDiff line numberDiff line change
@@ -4,25 +4,38 @@ import "testing"
44

55
func TestValidateRoleNameLength(t *testing.T) {
66
t.Run("WhenMax", func(t *testing.T) {
7-
if e := ValidateUnstableRoleNameLength("my-firstcluster", "prodWorkerks", "prod-workers", "us-east-1"); e != nil {
7+
if e := ValidateUnstableRoleNameLength("my-firstcluster", "prodWorkerks", "prod-workers", "us-east-1", false); e != nil {
88
t.Errorf("expected validation to succeed but failed: %v", e)
99
}
1010
})
1111
t.Run("WhenTooLong", func(t *testing.T) {
12-
if e := ValidateUnstableRoleNameLength("my-secondcluster", "prodWorkerks", "prod-workers", "us-east-1"); e == nil {
12+
if e := ValidateUnstableRoleNameLength("my-secondcluster", "prodWorkerks", "prod-workers", "us-east-1", false); e == nil {
1313
t.Error("expected validation to fail but succeeded")
1414
}
1515
})
1616
}
1717

1818
func TestValidateManagedRoleNameLength(t *testing.T) {
1919
t.Run("WhenMax", func(t *testing.T) {
20-
if e := ValidateStableRoleNameLength("prod", "workers", "ap-southeast-1"); e != nil {
20+
if e := ValidateStableRoleNameLength("prod", "workers", "ap-southeast-1", false); e != nil {
2121
t.Errorf("expected validation to succeed but failed: %v", e)
2222
}
2323
})
2424
t.Run("WhenTooLong", func(t *testing.T) {
25-
if e := ValidateStableRoleNameLength("prod", "workers-role-with-very-very-very-very-very-long-name", "ap-southeast-1"); e == nil {
25+
if e := ValidateStableRoleNameLength("prod", "workers-role-with-very-very-very-very-very-long-name", "ap-southeast-1", false); e == nil {
26+
t.Error("expected validation to fail but succeeded")
27+
}
28+
})
29+
}
30+
31+
func TestValidateManagedRoleStrictNameLength(t *testing.T) {
32+
t.Run("WhenMax", func(t *testing.T) {
33+
if e := ValidateStableRoleNameLength("prod", "workers-role-with-very-very-very-very-very-long-name", "ap-southeast-1", true); e != nil {
34+
t.Errorf("expected validation to succeed but failed: %v", e)
35+
}
36+
})
37+
t.Run("WhenTooLong", func(t *testing.T) {
38+
if e := ValidateStableRoleNameLength("prod", "workers-role-with-very-very-very-very-very-long-name-very-very-very-very-very-long-name", "ap-southeast-1", true); e == nil {
2639
t.Error("expected validation to fail but succeeded")
2740
}
2841
})

core/controlplane/config/config.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -1332,11 +1332,11 @@ func (c Cluster) validate() error {
13321332
}
13331333

13341334
if len(c.Controller.IAMConfig.Role.Name) > 0 {
1335-
if e := cfnresource.ValidateStableRoleNameLength(c.ClusterName, c.Controller.IAMConfig.Role.Name, c.Region.String()); e != nil {
1335+
if e := cfnresource.ValidateStableRoleNameLength(c.ClusterName, c.Controller.IAMConfig.Role.Name, c.Region.String(), c.Controller.IAMConfig.Role.StrictName); e != nil {
13361336
return e
13371337
}
13381338
} else {
1339-
if e := cfnresource.ValidateUnstableRoleNameLength(c.ClusterName, naming.FromStackToCfnResource(c.ControlPlaneStackName()), c.Controller.IAMConfig.Role.Name, c.Region.String()); e != nil {
1339+
if e := cfnresource.ValidateUnstableRoleNameLength(c.ClusterName, naming.FromStackToCfnResource(c.ControlPlaneStackName()), c.Controller.IAMConfig.Role.Name, c.Region.String(), c.Controller.IAMConfig.Role.StrictName); e != nil {
13401340
return e
13411341
}
13421342
}

core/nodepool/config/config.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -369,11 +369,11 @@ func (c ProvidedConfig) validate() error {
369369
}
370370

371371
if len(c.WorkerNodePoolConfig.IAMConfig.Role.Name) > 0 {
372-
if e := cfnresource.ValidateStableRoleNameLength(c.ClusterName, c.WorkerNodePoolConfig.IAMConfig.Role.Name, c.Region.String()); e != nil {
372+
if e := cfnresource.ValidateStableRoleNameLength(c.ClusterName, c.WorkerNodePoolConfig.IAMConfig.Role.Name, c.Region.String(), c.WorkerNodePoolConfig.IAMConfig.Role.StrictName); e != nil {
373373
return e
374374
}
375375
} else {
376-
if e := cfnresource.ValidateUnstableRoleNameLength(c.ClusterName, c.NestedStackName(), c.WorkerNodePoolConfig.IAMConfig.Role.Name, c.Region.String()); e != nil {
376+
if e := cfnresource.ValidateUnstableRoleNameLength(c.ClusterName, c.NestedStackName(), c.WorkerNodePoolConfig.IAMConfig.Role.Name, c.Region.String(), c.WorkerNodePoolConfig.IAMConfig.Role.StrictName); e != nil {
377377
return e
378378
}
379379
}

0 commit comments

Comments
 (0)