Add ASG CreateServiceLinkedRole and DescribeInstanceRefreshes permission

Sedef · Sedef · commit fc2de5b2ac5c · 2021-01-21T03:55:00.000-05:00
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
@@ -120,6 +120,7 @@ func (t Template) controllersPolicy() *iamv1.PolicyDocument {
 				"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
 				"elasticloadbalancing:RemoveTags",
 				"autoscaling:DescribeAutoScalingGroups",
+				"autoscaling:DescribeInstanceRefreshes",
 				"ec2:CreateLaunchTemplate",
 				"ec2:CreateLaunchTemplateVersion",
 				"ec2:DescribeLaunchTemplates",
@@ -138,11 +139,22 @@ func (t Template) controllersPolicy() *iamv1.PolicyDocument {
 				"autoscaling:UpdateAutoScalingGroup",
 				"autoscaling:CreateOrUpdateTags",
 				"autoscaling:StartInstanceRefresh",
-				"autoscaling:UpdateAutoScalingGroup",
 				"autoscaling:DeleteAutoScalingGroup",
 				"autoscaling:DeleteTags",
 			},
 		},
+		{
+			Effect: iamv1.EffectAllow,
+			Resource: iamv1.Resources{
+				"arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
+			},
+			Action: iamv1.Actions{
+				"iam:CreateServiceLinkedRole",
+			},
+			Condition: iamv1.Conditions{
+				iamv1.StringLike: map[string]string{"iam:AWSServiceName": "autoscaling.amazonaws.com"},
+			},
+		},
 		{
 			Effect: iamv1.EffectAllow,
 			Resource: iamv1.Resources{
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml
@@ -198,6 +198,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -211,11 +212,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml
@@ -197,6 +197,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -210,11 +211,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_enable.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_enable.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml b/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml
@@ -192,6 +192,7 @@ Resources:
           - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
           - elasticloadbalancing:RemoveTags
           - autoscaling:DescribeAutoScalingGroups
+          - autoscaling:DescribeInstanceRefreshes
           - ec2:CreateLaunchTemplate
           - ec2:CreateLaunchTemplateVersion
           - ec2:DescribeLaunchTemplates
@@ -205,11 +206,20 @@ Resources:
           - autoscaling:CreateAutoScalingGroup
           - autoscaling:UpdateAutoScalingGroup
           - autoscaling:CreateOrUpdateTags
+          - autoscaling:StartInstanceRefresh
           - autoscaling:DeleteAutoScalingGroup
           - autoscaling:DeleteTags
           Effect: Allow
           Resource:
           - arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
+        - Action:
+          - iam:CreateServiceLinkedRole
+          Condition:
+            StringLike:
+              iam:AWSServiceName: autoscaling.amazonaws.com
+          Effect: Allow
+          Resource:
+          - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
         - Action:
           - iam:CreateServiceLinkedRole
           Condition:
diff --git a/test/e2e/data/e2e_conf.yaml b/test/e2e/data/e2e_conf.yaml
@@ -137,4 +137,4 @@ intervals:
   default/wait-machine-status: ["40m", "10s"]
   default/wait-infra-subnets: ["5m", "30s"]
   default/wait-machine-pool-nodes: ["40m", "10s"]
-  default/wait-machine-pool-upgrade: [ "40m", "10s" ]
+  default/wait-machine-pool-upgrade: [ "50m", "10s" ]
diff --git a/test/e2e/suites/unmanaged/unmanaged_CAPI_test.go b/test/e2e/suites/unmanaged/unmanaged_CAPI_test.go
diff --git a/test/e2e/suites/unmanaged/unmanaged_test.go b/test/e2e/suites/unmanaged/unmanaged_test.go
