Refactor Role PolicyDoc creation

Adds support for both operator roles (with multiple service accounts)
and addon roles (with a single service account)

cmd/create/operatorroles/cmd.go

@@ -291,7 +291,7 @@ func createRoles(r *rosa.Runtime,
 		}
 		policyDetails = policies["operator_iam_role_policy"]
 
-		policy, err := aws.GenerateRolePolicyDoc(cluster, accountID, operator, policyDetails)
+		policy, err := aws.GenerateOperatorRolePolicyDoc(cluster, accountID, operator, policyDetails)
 		if err != nil {
 			return err
 		}
@@ -360,7 +360,7 @@ func buildCommands(r *rosa.Runtime,
 		}
 
 		policyDetail := policies["operator_iam_role_policy"]
-		policy, err := aws.GenerateRolePolicyDoc(cluster, accountID, operator, policyDetail)
+		policy, err := aws.GenerateOperatorRolePolicyDoc(cluster, accountID, operator, policyDetail)
 		if err != nil {
 			return "", err
 		}

cmd/upgrade/operatorroles/cmd.go

@@ -365,7 +365,7 @@ func buildMissingOperatorRoleCommand(missingRoles map[string]*cmv1.STSOperator,
 		roleName := getRoleName(cluster, operator)
 		policyARN := aws.GetOperatorPolicyARN(accountID, prefix, operator.Namespace(), operator.Name())
 		policyDetails := policies["operator_iam_role_policy"]
-		policy, err := aws.GenerateRolePolicyDoc(cluster, accountID, operator, policyDetails)
+		policy, err := aws.GenerateOperatorRolePolicyDoc(cluster, accountID, operator, policyDetails)
 		if err != nil {
 			return "", err
 		}
@@ -415,7 +415,7 @@ func upgradeMissingOperatorRole(missingRoles map[string]*cmv1.STSOperator, clust
 		policyDetails := policies["operator_iam_role_policy"]
 
 		policyARN := aws.GetOperatorPolicyARN(accountID, prefix, operator.Namespace(), operator.Name())
-		policy, err := aws.GenerateRolePolicyDoc(cluster, accountID, operator, policyDetails)
+		policy, err := aws.GenerateOperatorRolePolicyDoc(cluster, accountID, operator, policyDetails)
 		if err != nil {
 			return err
 		}

pkg/aws/policy_document.go

@@ -270,8 +270,7 @@ func getPolicyDocument(policyDocument *string) (*PolicyDocument, error) {
 	return &data, nil
 }
 
-func GenerateRolePolicyDoc(cluster *cmv1.Cluster, accountID string, operator *cmv1.STSOperator,
-	policyDetails string) (string, error) {
+func GenerateRolePolicyDoc(cluster *cmv1.Cluster, accountID, serviceAccounts, policyDetails string) (string, error) {
 	oidcEndpointURL, err := url.ParseRequestURI(cluster.AWS().STS().OIDCEndpointURL())
 	if err != nil {
 		return "", err
@@ -280,17 +279,28 @@ func GenerateRolePolicyDoc(cluster *cmv1.Cluster, accountID string, operator *cm
 
 	oidcProviderARN := fmt.Sprintf("arn:aws:iam::%s:oidc-provider/%s", accountID, issuerURL)
 
-	serviceAccounts := []string{}
-	for _, sa := range operator.ServiceAccounts() {
-		serviceAccounts = append(serviceAccounts,
-			fmt.Sprintf("system:serviceaccount:%s:%s", operator.Namespace(), sa))
-	}
-
 	policy := InterpolatePolicyDocument(policyDetails, map[string]string{
 		"oidc_provider_arn": oidcProviderARN,
 		"issuer_url":        issuerURL,
-		"service_accounts":  strings.Join(serviceAccounts, `" , "`),
+		"service_accounts":  serviceAccounts,
 	})
 
 	return policy, nil
 }
+
+func GenerateOperatorRolePolicyDoc(cluster *cmv1.Cluster, accountID string, operator *cmv1.STSOperator,
+	policyDetails string) (string, error) {
+	serviceAccounts := make([]string, len(operator.ServiceAccounts()))
+	for i, sa := range operator.ServiceAccounts() {
+		serviceAccounts[i] = fmt.Sprintf("system:serviceaccount:%s:%s", operator.Namespace(), sa)
+	}
+	service_accounts := strings.Join(serviceAccounts, `" , "`)
+
+	return GenerateRolePolicyDoc(cluster, accountID, service_accounts, policyDetails)
+}
+
+func GenerateAddonPolicyDoc(cluster *cmv1.Cluster, accountID string, cr *cmv1.CredentialRequest,
+	policyDetails string) (string, error) {
+	service_accounts := fmt.Sprintf("system:serviceaccount:%s:%s", cr.Namespace(), cr.ServiceAccount())
+	return GenerateRolePolicyDoc(cluster, accountID, service_accounts, policyDetails)
+}