[Feature ] Improve vpc_cidr logic (kubernetes-sigs#466)

* add subnet_cidr when vpc_cidr is set

* validate aws

* fix aws validations

* add validation AWS

* clean code

* modify aws network validation

* modify aws network validation

* modify aws network validation

* modify aws network validation

* restore snapshot version

* add new permission to doc

* add new permission to doc

* add action to doc en

* add error doc

* add error doc

---------

Co-authored-by: stg <65890694+stg-0@users.noreply.github.com>

docs/aws/Permissions/EKS/eks_Errros.md

@@ -92,4 +92,5 @@ $> aws sts decode-authorization-message --encoded-message <encoded message from
 | ERROR failed to reconcile control plane for AWSManagedControlPlane cluster-lrecio-aws/lrecio-aws-control-plane: creating role eks-cl01-iam-service-role: failed to call CreateRole: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxxx:user/cloud-provisioner-eks is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks-cl01-iam-service-role because no identity-based policy allows the iam:CreateRole action. | 80 |
 | ERROR "error deleting EKS cluster for EKS control plane" err="unable to delete EKS cluster: failed to request delete of eks cluster eks-cl02: AccessDeniedException: User: arn:aws:iam::xxxxxxxxxxxxx:user/cloud-provisioner-eks is not authorized to perform: eks:DeleteCluster on resource: arn:aws:eks:eu-west-1:xxxxxxxxxxxxx:cluster/eks-cl02" controller="awsmanagedcontrolplane" controller Group="controlplane.cluster.x-k8s.io" controllerKind="AWSManagedControlPlane" AWSManagedControlPlane="cluster-eks-cl02/eks-cl02-control-plane" reconcileID="65704c34-09d5-4c48-b7fc-389e2afcd901" namespace="cluster-eks-cl02" name="eks-cl02-control-plane". | 81 |
 | ERROR "Reconciler error" failed to delete OIDC provider: error deleting provider: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxxx:user/cloud-provisioner-eks is not authorized to perform: iam:DeleteOpenIDConnectProvider on resource: arn:aws:iam::xxxxxxxxxxxxx:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/71DCE6C4BF0301DA4E227FA5CEEDF9AB because no identity-based policy allows the iam:DeleteOpenIDConnectProvider action. | 82 |
-| ERROR "Reconciler error" err="failed to reconcile control plane for AWSManagedControlPlane cluster-eks-cl02/eks-cl02-control-plane: failed reconciling cluster version: failed to update EKS cluster: AccessDeniedException: User is not authorized to perform this action" controller="awsmanagedcontrolplane" controllerGroup="controlplane.cluster.x-k8s.io" controllerKind="AWSManagedControlPlane" AWSManagedControlPlane="cluster-eks-cl02/eks-cl02-control-plane" namespace="cluster-eks-cl02" name="eks-cl02-control-plane" reconcileID="27682de5-0bc5-4fb5-97b6-33ea18a3cf6d". | 83 |
+| ERROR "Reconciler error" err="failed to reconcile control plane for AWSManagedControlPlane cluster-eks-cl02/eks-cl02-control-plane: failed reconciling cluster version: failed to update EKS cluster: AccessDeniedException: User is not authorized to perform this action" controller="awsmanagedcontrolplane" controllerGroup="controlplane.cluster.x-k8s.io" controllerKind="AWSManagedControlPlane" AWSManagedControlPlane="cluster-eks-cl02/eks-cl02-control-plane" namespace="cluster-eks-cl02" name="eks-cl02-control-plane" reconcileID="27682de5-0bc5-4fb5-97b6-33ea18a3cf6d". | 83 |
+| ERROR "Reconciler error" err="failed to reconcile network for AWSManagedControlPlane cluster-eks-cl01/eks-cl01-control-plane: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::<account-id>:user/cloud-provisioner-eks is not authorized to perform: ec2:AssociateVpcCidrBlock on resource: arn:aws:ec2:eu-west-1:<account-id>:vpc/<vpc-id> because no identity-based policy allows the ec2:AssociateVpcCidrBlock action.

docs/aws/Permissions/EKS/eks_permission.adoc

@@ -77,7 +77,8 @@ cloud-provisioner create cluster --name <cluster-name> --vault-password xxxxxx -
 |===
 | Permission | Necessary for | Description | Resource | Application
 | ec2:CreateVpc | Attempting to create VPC | Grants permission to create a VPC with a specified CIDR block. |  arn:aws:ec2:*:<account-id>:vpc/* | cloud-provisioner
-| ec2:CreateTags  | Attempting to create tags | Grants permission to add or overwrite one or more tags for Amazon EC2 resources. | ocker* | cloud-provisioner
+| ec2:ec2:AssociateVpcCidrBlock | Attempting to associate CIDR | Grants permission to associate a second CIDR to a existing VPC |  arn:aws:ec2:*:<account-id>:vpc/* | cloud-provisioner
+| ec2:CreateTags  | Attempting to create tags | Grants permission to add or overwrite one or more tags for Amazon EC2 resources. | * | cloud-provisioner
 | ec2:DescribeVpcs  | Attempting to describe VPCs | Grants permission to describe one or more VPCs. |  * | cloud-provisioner
 | ec2:DescribeVpcAttribute | Attempting to describe VPC attribute | Grants permission to describe an attribute of a VPC. |  arn:aws:ec2:*:<account-id>:vpc/* | cloud-provisioner
 | ec2:ModifyVpcAttribute | Attempting to modify VPC attribute | Grants permission to modify an attribute of a VPC. |  arn:aws:ec2:*:<account-id>:vpc/* | cloud-provisioner
@@ -286,4 +287,4 @@ aws eks update-addon --cluster-name <cluster-name> --addon-name vpc-cni --addon-
 | elasticloadbalancing:ConfigureHealthCheck | Attempting to configure health check | Grants permission to specify a health check configuration for the instances. |  arn:aws:elasticloadbalancing:eu-west-1:<account-id>:loadbalancer/* | cloud-provisioner
 | ec2:DescribeInstanceTypes | Attempting to describe instance types | Grants permission to describe one or more of the available instance types. |  * | cloud-provisioner
 | elasticloadbalancing:AttachLoadBalancerToSubnets | Attempting to attach load balancer to subnets | Grants permission to add one or more subnets to the set of configured subnets for the specified load balancer. |  arn:aws:elasticloadbalancing:eu-west-1:<account-id>:loadbalancer/* | cloud-provisioner
-|===
+|===

docs/aws/Permissions/EKS/eks_permission_ref.json

@@ -45,6 +45,7 @@
             "Action": [
                 "ec2:AllocateAddress",
                 "ec2:AssociateRouteTable",
+		"ec2:AssociateVpcCidrBlock",
                 "ec2:AttachInternetGateway",
                 "ec2:CreateVpc",
                 "ec2:CreateRoute",
@@ -122,4 +123,5 @@
             ]
         }
     ]
-}
+}
+

pkg/cluster/internal/validate/aws.go

@@ -166,17 +166,7 @@ func validateAWS(spec commons.KeosSpec, providerSecrets map[string]string) error
 
 func validateAWSNetwork(ctx context.Context, cfg aws.Config, spec commons.KeosSpec) error {
 	var err error
-	if spec.Networks.PodsCidrBlock != "" {
-		if spec.ControlPlane.Managed {
-			if err = validateAWSPodsNetwork(spec.Networks.PodsCidrBlock); err != nil {
-				return err
-			}
-		}
-	} else {
-		if len(spec.Networks.PodsSubnets) > 0 {
-			return errors.New("\"pods_cidr\": is required when \"pods_subnets\" is set")
-		}
-	}
+
 	if spec.Networks.VPCID != "" {
 		if spec.Networks.VPCCIDRBlock != "" {
 			return errors.New("\"vpc_id\" and \"vpc_cidr\" are mutually exclusive")
@@ -204,26 +194,36 @@ func validateAWSNetwork(ctx context.Context, cfg aws.Config, spec commons.KeosSp
 					}
 				}
 			}
-		}
-	} else {
-		if spec.Networks.VPCCIDRBlock != "" {
-			const cidrSizeMin = 256
-			_, ipv4Net, err := net.ParseCIDR(spec.Networks.VPCCIDRBlock)
-			if err != nil {
-				return errors.New("\"vpc_cidr\": CIDR block must be a valid IPv4 CIDR block")
-			}
-			cidrSize := cidr.AddressCount(ipv4Net)
-			if cidrSize < cidrSizeMin {
-				return errors.New("\"vpc_cidr\": CIDR block size must be at least /24 netmask")
-			}
-			if len(spec.Networks.Subnets) > 0 {
-				return errors.New("\"subnets\": are not supported when \"vpc_cidr\" is set")
+			if len(spec.Networks.PodsSubnets) > 0 && spec.Networks.PodsCidrBlock != "" {
+				return errors.New("\"pods_cidr\": is ignored when \"pods_subnets\" are set")
 			}
 		}
+	} else {
 		if len(spec.Networks.PodsSubnets) > 0 {
 			return errors.New("\"vpc_id\": is required when \"pods_subnets\" is set")
 		}
 	}
+	if spec.Networks.VPCCIDRBlock != "" {
+		const cidrSizeMin = 256
+		_, ipv4Net, err := net.ParseCIDR(spec.Networks.VPCCIDRBlock)
+		if err != nil {
+			return errors.New("\"vpc_cidr\": CIDR block must be a valid IPv4 CIDR block")
+		}
+		cidrSize := cidr.AddressCount(ipv4Net)
+		if cidrSize < cidrSizeMin {
+			return errors.New("\"vpc_cidr\": CIDR block size must be at least /24 netmask")
+		}
+		if len(spec.Networks.Subnets) > 0 {
+			return errors.New("\"subnets\": are not supported when \"vpc_cidr\" is defined")
+		}
+	}
+	if spec.Networks.PodsCidrBlock != "" {
+		if spec.ControlPlane.Managed {
+			if err = validateAWSPodsNetwork(spec.Networks.PodsCidrBlock); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }
 
@@ -474,4 +474,4 @@ func getAWSAzs(ctx context.Context, cfg aws.Config, region string) ([]string, er
 		}
 	}
 	return azs, nil
-}
+}

stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json

@@ -43,6 +43,7 @@
           "Action": [
               "ec2:AllocateAddress",
               "ec2:AssociateRouteTable",
+	      "ec2:AssociateVpcCidrBlock",
               "ec2:AttachInternetGateway",
               "ec2:CreateVpc",
               "ec2:CreateRoute",

stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json

@@ -43,6 +43,7 @@
           "Action": [
               "ec2:AllocateAddress",
               "ec2:AssociateRouteTable",
+	      "ec2:AssociateVpcCidrBlock",
               "ec2:AttachInternetGateway",
               "ec2:CreateVpc",
               "ec2:CreateRoute",