diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go index 94ba5f86e4e..fc592e71f80 100644 --- a/pkg/asset/installconfig/aws/permissions.go +++ b/pkg/asset/installconfig/aws/permissions.go @@ -4,6 +4,7 @@ package aws import ( "errors" "fmt" + "regexp" "github.com/aws/aws-sdk-go/aws/session" "github.com/sirupsen/logrus" @@ -68,6 +69,9 @@ const ( // PermissionDefaultZones is a permission set required when zones are not set in the install-config. PermissionDefaultZones PermissionGroup = "permission-default-zones" + // PermissionCreateCarrierGateway is a permission set required when an edge compute pool with WL zones is set in the install-config. + PermissionCreateCarrierGateway PermissionGroup = "permission-create-carrier-gateway" + // PermissionMintCreds is a permission set required when minting credentials. PermissionMintCreds PermissionGroup = "permission-mint-creds" @@ -324,6 +328,12 @@ var permissions = map[PermissionGroup][]string{ // Needed to filter zones by instance type "ec2:DescribeInstanceTypeOfferings", }, + PermissionCreateCarrierGateway: { + // Needed by CAPA to create Carrier Gateways. + "ec2:DescribeCarrierGateways", + "ec2:CreateCarrierGateway", + "ec2:DeleteCarrierGateway", + }, // From: https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/utils.go // TODO: export these in CCO so we don't have to duplicate them here. PermissionMintCreds: { @@ -511,6 +521,10 @@ func RequiredPermissionGroups(ic *types.InstallConfig) []PermissionGroup { permissionGroups = append(permissionGroups, PermissionDefaultZones) } + if includesWavelengthZones(ic) { + permissionGroups = append(permissionGroups, PermissionCreateCarrierGateway) + } + return permissionGroups } @@ -682,3 +696,20 @@ func includesZones(installConfig *types.InstallConfig) bool { return len(mpool.Zones) > 0 || len(installConfig.AWS.Subnets) > 0 } + +func includesWavelengthZones(installConfig *types.InstallConfig) bool { + isWLZoneRegex := regexp.MustCompile(`wl\d\-.*$`) + + for _, mpool := range installConfig.Compute { + if mpool.Name != types.MachinePoolEdgeRoleName || mpool.Platform.AWS == nil { + continue + } + for _, zone := range mpool.Platform.AWS.Zones { + if isWLZoneRegex.MatchString(zone) { + return true + } + } + } + + return false +} diff --git a/pkg/asset/installconfig/aws/permissions_test.go b/pkg/asset/installconfig/aws/permissions_test.go index 83697270661..c61fecfa2be 100644 --- a/pkg/asset/installconfig/aws/permissions_test.go +++ b/pkg/asset/installconfig/aws/permissions_test.go @@ -807,3 +807,39 @@ func TestIncludesZones(t *testing.T) { assert.Contains(t, requiredPerms, PermissionDefaultZones) }) } + +func TestIncludesWavelengthZones(t *testing.T) { + t.Run("Should be true when edge compute specified with WL zones", func(t *testing.T) { + ic := validInstallConfig() + ic.Compute = append(ic.Compute, types.MachinePool{ + Name: "edge", + Platform: types.MachinePoolPlatform{ + AWS: &aws.MachinePool{ + Zones: []string{"us-west-2-pdx-1a", "us-west-2-wl1-sea-wlz-1"}, + }, + }, + }) + requiredPerms := RequiredPermissionGroups(ic) + assert.Contains(t, requiredPerms, PermissionCreateCarrierGateway) + }) + t.Run("Should be false when", func(t *testing.T) { + t.Run("edge compute specified without WL zones", func(t *testing.T) { + ic := validInstallConfig() + ic.Compute = append(ic.Compute, types.MachinePool{ + Name: "edge", + Platform: types.MachinePoolPlatform{ + AWS: &aws.MachinePool{ + Zones: []string{"us-west-1a", "us-west-2-pdx-1a"}, + }, + }, + }) + requiredPerms := RequiredPermissionGroups(ic) + assert.NotContains(t, requiredPerms, PermissionCreateCarrierGateway) + }) + t.Run("edge compute not specified", func(t *testing.T) { + ic := validInstallConfig() + requiredPerms := RequiredPermissionGroups(ic) + assert.NotContains(t, requiredPerms, PermissionCreateCarrierGateway) + }) + }) +}