diff --git a/cloudmock/aws/mockiam/iamrole.go b/cloudmock/aws/mockiam/iamrole.go index e546de4685e95..39a70786a3014 100644 --- a/cloudmock/aws/mockiam/iamrole.go +++ b/cloudmock/aws/mockiam/iamrole.go @@ -64,6 +64,7 @@ func (m *MockIAM) CreateRole(request *iam.CreateRoleInput) (*iam.CreateRoleOutpu }, RoleName: request.RoleName, RoleId: &roleID, + Tags: request.Tags, } if m.Roles == nil { diff --git a/pkg/model/iam.go b/pkg/model/iam.go index 7023095123d02..e54fdf5d13814 100644 --- a/pkg/model/iam.go +++ b/pkg/model/iam.go @@ -136,6 +136,7 @@ func (b *IAMModelBuilder) buildIAMRole(role iam.Subject, iamName string, c *fi.M Lifecycle: b.Lifecycle, RolePolicyDocument: rolePolicy, + Tags: b.CloudTags(iamName, false), } if isServiceAccount { diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf index 1c4361da94010..5d542fbff3ab7 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf +++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-bastionuserdata-example-com" { resource "aws_iam_role" "bastions-bastionuserdata-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.bastionuserdata.example.com_policy") name = "bastions.bastionuserdata.example.com" + tags = { + "KubernetesCluster" = "bastionuserdata.example.com" + "Name" = "bastions.bastionuserdata.example.com" + "kubernetes.io/cluster/bastionuserdata.example.com" = "owned" + } } resource "aws_iam_role" "masters-bastionuserdata-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.bastionuserdata.example.com_policy") name = "masters.bastionuserdata.example.com" + tags = { + "KubernetesCluster" = "bastionuserdata.example.com" + "Name" = "masters.bastionuserdata.example.com" + "kubernetes.io/cluster/bastionuserdata.example.com" = "owned" + } } resource "aws_iam_role" "nodes-bastionuserdata-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.bastionuserdata.example.com_policy") name = "nodes.bastionuserdata.example.com" + tags = { + "KubernetesCluster" = "bastionuserdata.example.com" + "Name" = "nodes.bastionuserdata.example.com" + "kubernetes.io/cluster/bastionuserdata.example.com" = "owned" + } } resource "aws_internet_gateway" "bastionuserdata-example-com" { diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 1401f6b4b364d..9e2e0a5c95efc 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1577,7 +1577,29 @@ ], "Version": "2012-10-17" }, - "PermissionsBoundary": "arn:aws:iam:00000000000:policy/boundaries" + "PermissionsBoundary": "arn:aws:iam:00000000000:policy/boundaries", + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "complex.example.com" + }, + { + "Key": "Name", + "Value": "masters.complex.example.com" + }, + { + "Key": "Owner", + "Value": "John Doe" + }, + { + "Key": "foo/bar", + "Value": "fib+baz" + }, + { + "Key": "kubernetes.io/cluster/complex.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodescomplexexamplecom": { @@ -1596,7 +1618,29 @@ ], "Version": "2012-10-17" }, - "PermissionsBoundary": "arn:aws:iam:00000000000:policy/boundaries" + "PermissionsBoundary": "arn:aws:iam:00000000000:policy/boundaries", + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "complex.example.com" + }, + { + "Key": "Name", + "Value": "nodes.complex.example.com" + }, + { + "Key": "Owner", + "Value": "John Doe" + }, + { + "Key": "foo/bar", + "Value": "fib+baz" + }, + { + "Key": "kubernetes.io/cluster/complex.example.com", + "Value": "owned" + } + ] } }, "AWSRoute53RecordSetapicomplexexamplecom": { diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf index b4aa505339284..ddb06041bf310 100644 --- a/tests/integration/update_cluster/complex/kubernetes.tf +++ b/tests/integration/update_cluster/complex/kubernetes.tf @@ -256,12 +256,26 @@ resource "aws_iam_role" "masters-complex-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.complex.example.com_policy") name = "masters.complex.example.com" permissions_boundary = "arn:aws:iam:00000000000:policy/boundaries" + tags = { + "KubernetesCluster" = "complex.example.com" + "Name" = "masters.complex.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/complex.example.com" = "owned" + } } resource "aws_iam_role" "nodes-complex-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.complex.example.com_policy") name = "nodes.complex.example.com" permissions_boundary = "arn:aws:iam:00000000000:policy/boundaries" + tags = { + "KubernetesCluster" = "complex.example.com" + "Name" = "nodes.complex.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/complex.example.com" = "owned" + } } resource "aws_internet_gateway" "complex-example-com" { diff --git a/tests/integration/update_cluster/compress/kubernetes.tf b/tests/integration/update_cluster/compress/kubernetes.tf index 12d26e14f8729..5593d7055a758 100644 --- a/tests/integration/update_cluster/compress/kubernetes.tf +++ b/tests/integration/update_cluster/compress/kubernetes.tf @@ -229,11 +229,21 @@ resource "aws_iam_role_policy" "nodes-compress-example-com" { resource "aws_iam_role" "masters-compress-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.compress.example.com_policy") name = "masters.compress.example.com" + tags = { + "KubernetesCluster" = "compress.example.com" + "Name" = "masters.compress.example.com" + "kubernetes.io/cluster/compress.example.com" = "owned" + } } resource "aws_iam_role" "nodes-compress-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.compress.example.com_policy") name = "nodes.compress.example.com" + tags = { + "KubernetesCluster" = "compress.example.com" + "Name" = "nodes.compress.example.com" + "kubernetes.io/cluster/compress.example.com" = "owned" + } } resource "aws_internet_gateway" "compress-example-com" { diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 305a14701b625..84ff20123859d 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -1073,7 +1073,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "containerd.example.com" + }, + { + "Key": "Name", + "Value": "masters.containerd.example.com" + }, + { + "Key": "kubernetes.io/cluster/containerd.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodescontainerdexamplecom": { @@ -1091,7 +1105,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "containerd.example.com" + }, + { + "Key": "Name", + "Value": "nodes.containerd.example.com" + }, + { + "Key": "kubernetes.io/cluster/containerd.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 305a14701b625..84ff20123859d 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -1073,7 +1073,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "containerd.example.com" + }, + { + "Key": "Name", + "Value": "masters.containerd.example.com" + }, + { + "Key": "kubernetes.io/cluster/containerd.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodescontainerdexamplecom": { @@ -1091,7 +1105,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "containerd.example.com" + }, + { + "Key": "Name", + "Value": "nodes.containerd.example.com" + }, + { + "Key": "kubernetes.io/cluster/containerd.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 262b0a1d6662d..27e0311d3104a 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -1059,7 +1059,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "docker.example.com" + }, + { + "Key": "Name", + "Value": "masters.docker.example.com" + }, + { + "Key": "kubernetes.io/cluster/docker.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesdockerexamplecom": { @@ -1077,7 +1091,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "docker.example.com" + }, + { + "Key": "Name", + "Value": "nodes.docker.example.com" + }, + { + "Key": "kubernetes.io/cluster/docker.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/existing_sg/kubernetes.tf b/tests/integration/update_cluster/existing_sg/kubernetes.tf index 8302f8dbe9e56..4fbb1035873b9 100644 --- a/tests/integration/update_cluster/existing_sg/kubernetes.tf +++ b/tests/integration/update_cluster/existing_sg/kubernetes.tf @@ -420,11 +420,21 @@ resource "aws_iam_role_policy" "nodes-existingsg-example-com" { resource "aws_iam_role" "masters-existingsg-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.existingsg.example.com_policy") name = "masters.existingsg.example.com" + tags = { + "KubernetesCluster" = "existingsg.example.com" + "Name" = "masters.existingsg.example.com" + "kubernetes.io/cluster/existingsg.example.com" = "owned" + } } resource "aws_iam_role" "nodes-existingsg-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.existingsg.example.com_policy") name = "nodes.existingsg.example.com" + tags = { + "KubernetesCluster" = "existingsg.example.com" + "Name" = "nodes.existingsg.example.com" + "kubernetes.io/cluster/existingsg.example.com" = "owned" + } } resource "aws_internet_gateway" "existingsg-example-com" { diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index 73449cbba9832..ec3d7ff97afd8 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1074,7 +1074,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "externallb.example.com" + }, + { + "Key": "Name", + "Value": "masters.externallb.example.com" + }, + { + "Key": "kubernetes.io/cluster/externallb.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesexternallbexamplecom": { @@ -1092,7 +1106,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "externallb.example.com" + }, + { + "Key": "Name", + "Value": "nodes.externallb.example.com" + }, + { + "Key": "kubernetes.io/cluster/externallb.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/externallb/kubernetes.tf b/tests/integration/update_cluster/externallb/kubernetes.tf index d5bdabf8d058a..a340ca4aa08e7 100644 --- a/tests/integration/update_cluster/externallb/kubernetes.tf +++ b/tests/integration/update_cluster/externallb/kubernetes.tf @@ -233,11 +233,21 @@ resource "aws_iam_role_policy" "nodes-externallb-example-com" { resource "aws_iam_role" "masters-externallb-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.externallb.example.com_policy") name = "masters.externallb.example.com" + tags = { + "KubernetesCluster" = "externallb.example.com" + "Name" = "masters.externallb.example.com" + "kubernetes.io/cluster/externallb.example.com" = "owned" + } } resource "aws_iam_role" "nodes-externallb-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.externallb.example.com_policy") name = "nodes.externallb.example.com" + tags = { + "KubernetesCluster" = "externallb.example.com" + "Name" = "nodes.externallb.example.com" + "kubernetes.io/cluster/externallb.example.com" = "owned" + } } resource "aws_internet_gateway" "externallb-example-com" { diff --git a/tests/integration/update_cluster/externalpolicies/kubernetes.tf b/tests/integration/update_cluster/externalpolicies/kubernetes.tf index cbcf752a6c81b..d6b1274257107 100644 --- a/tests/integration/update_cluster/externalpolicies/kubernetes.tf +++ b/tests/integration/update_cluster/externalpolicies/kubernetes.tf @@ -293,11 +293,25 @@ resource "aws_iam_role_policy" "nodes-externalpolicies-example-com" { resource "aws_iam_role" "masters-externalpolicies-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.externalpolicies.example.com_policy") name = "masters.externalpolicies.example.com" + tags = { + "KubernetesCluster" = "externalpolicies.example.com" + "Name" = "masters.externalpolicies.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/externalpolicies.example.com" = "owned" + } } resource "aws_iam_role" "nodes-externalpolicies-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.externalpolicies.example.com_policy") name = "nodes.externalpolicies.example.com" + tags = { + "KubernetesCluster" = "externalpolicies.example.com" + "Name" = "nodes.externalpolicies.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/externalpolicies.example.com" = "owned" + } } resource "aws_internet_gateway" "externalpolicies-example-com" { diff --git a/tests/integration/update_cluster/ha/kubernetes.tf b/tests/integration/update_cluster/ha/kubernetes.tf index f96e82f22ff1d..59dccb5dfb644 100644 --- a/tests/integration/update_cluster/ha/kubernetes.tf +++ b/tests/integration/update_cluster/ha/kubernetes.tf @@ -391,11 +391,21 @@ resource "aws_iam_role_policy" "nodes-ha-example-com" { resource "aws_iam_role" "masters-ha-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.ha.example.com_policy") name = "masters.ha.example.com" + tags = { + "KubernetesCluster" = "ha.example.com" + "Name" = "masters.ha.example.com" + "kubernetes.io/cluster/ha.example.com" = "owned" + } } resource "aws_iam_role" "nodes-ha-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.ha.example.com_policy") name = "nodes.ha.example.com" + tags = { + "KubernetesCluster" = "ha.example.com" + "Name" = "nodes.ha.example.com" + "kubernetes.io/cluster/ha.example.com" = "owned" + } } resource "aws_internet_gateway" "ha-example-com" { diff --git a/tests/integration/update_cluster/launch_templates/cloudformation.json b/tests/integration/update_cluster/launch_templates/cloudformation.json index 480779ae5cd83..fc62b28dead5e 100644 --- a/tests/integration/update_cluster/launch_templates/cloudformation.json +++ b/tests/integration/update_cluster/launch_templates/cloudformation.json @@ -1282,7 +1282,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "launchtemplates.example.com" + }, + { + "Key": "Name", + "Value": "masters.launchtemplates.example.com" + }, + { + "Key": "kubernetes.io/cluster/launchtemplates.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodeslaunchtemplatesexamplecom": { @@ -1300,7 +1314,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "launchtemplates.example.com" + }, + { + "Key": "Name", + "Value": "nodes.launchtemplates.example.com" + }, + { + "Key": "kubernetes.io/cluster/launchtemplates.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/launch_templates/kubernetes.tf b/tests/integration/update_cluster/launch_templates/kubernetes.tf index 10caa6efce4a9..7f6d0b509386e 100644 --- a/tests/integration/update_cluster/launch_templates/kubernetes.tf +++ b/tests/integration/update_cluster/launch_templates/kubernetes.tf @@ -380,11 +380,21 @@ resource "aws_iam_role_policy" "nodes-launchtemplates-example-com" { resource "aws_iam_role" "masters-launchtemplates-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.launchtemplates.example.com_policy") name = "masters.launchtemplates.example.com" + tags = { + "KubernetesCluster" = "launchtemplates.example.com" + "Name" = "masters.launchtemplates.example.com" + "kubernetes.io/cluster/launchtemplates.example.com" = "owned" + } } resource "aws_iam_role" "nodes-launchtemplates-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.launchtemplates.example.com_policy") name = "nodes.launchtemplates.example.com" + tags = { + "KubernetesCluster" = "launchtemplates.example.com" + "Name" = "nodes.launchtemplates.example.com" + "kubernetes.io/cluster/launchtemplates.example.com" = "owned" + } } resource "aws_internet_gateway" "launchtemplates-example-com" { diff --git a/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json b/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json index 234ffb31e428d..5bbb8b5d9a8d5 100644 --- a/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json +++ b/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json @@ -1059,7 +1059,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "minimal.example.com" + }, + { + "Key": "Name", + "Value": "masters.minimal.example.com" + }, + { + "Key": "kubernetes.io/cluster/minimal.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesminimalexamplecom": { @@ -1077,7 +1091,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "minimal.example.com" + }, + { + "Key": "Name", + "Value": "nodes.minimal.example.com" + }, + { + "Key": "kubernetes.io/cluster/minimal.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/minimal-json/kubernetes.tf.json b/tests/integration/update_cluster/minimal-json/kubernetes.tf.json index b28b1b282a997..aea094a25fedc 100644 --- a/tests/integration/update_cluster/minimal-json/kubernetes.tf.json +++ b/tests/integration/update_cluster/minimal-json/kubernetes.tf.json @@ -252,11 +252,21 @@ "aws_iam_role": { "masters-minimal-json-example-com": { "name": "masters.minimal-json.example.com", - "assume_role_policy": "${file(\"${path.module}/data/aws_iam_role_masters.minimal-json.example.com_policy\")}" + "assume_role_policy": "${file(\"${path.module}/data/aws_iam_role_masters.minimal-json.example.com_policy\")}", + "tags": { + "KubernetesCluster": "minimal-json.example.com", + "Name": "masters.minimal-json.example.com", + "kubernetes.io/cluster/minimal-json.example.com": "owned" + } }, "nodes-minimal-json-example-com": { "name": "nodes.minimal-json.example.com", - "assume_role_policy": "${file(\"${path.module}/data/aws_iam_role_nodes.minimal-json.example.com_policy\")}" + "assume_role_policy": "${file(\"${path.module}/data/aws_iam_role_nodes.minimal-json.example.com_policy\")}", + "tags": { + "KubernetesCluster": "minimal-json.example.com", + "Name": "nodes.minimal-json.example.com", + "kubernetes.io/cluster/minimal-json.example.com": "owned" + } } }, "aws_iam_role_policy": { diff --git a/tests/integration/update_cluster/minimal/kubernetes.tf b/tests/integration/update_cluster/minimal/kubernetes.tf index d30ec4d90dcaf..2243bb3a346f0 100644 --- a/tests/integration/update_cluster/minimal/kubernetes.tf +++ b/tests/integration/update_cluster/minimal/kubernetes.tf @@ -229,11 +229,21 @@ resource "aws_iam_role_policy" "nodes-minimal-example-com" { resource "aws_iam_role" "masters-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.minimal.example.com_policy") name = "masters.minimal.example.com" + tags = { + "KubernetesCluster" = "minimal.example.com" + "Name" = "masters.minimal.example.com" + "kubernetes.io/cluster/minimal.example.com" = "owned" + } } resource "aws_iam_role" "nodes-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.minimal.example.com_policy") name = "nodes.minimal.example.com" + tags = { + "KubernetesCluster" = "minimal.example.com" + "Name" = "nodes.minimal.example.com" + "kubernetes.io/cluster/minimal.example.com" = "owned" + } } resource "aws_internet_gateway" "minimal-example-com" { diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 0b685dd88e668..8552e2235451b 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1672,7 +1672,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "mixedinstances.example.com" + }, + { + "Key": "Name", + "Value": "masters.mixedinstances.example.com" + }, + { + "Key": "kubernetes.io/cluster/mixedinstances.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesmixedinstancesexamplecom": { @@ -1690,7 +1704,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "mixedinstances.example.com" + }, + { + "Key": "Name", + "Value": "nodes.mixedinstances.example.com" + }, + { + "Key": "kubernetes.io/cluster/mixedinstances.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/mixed_instances/kubernetes.tf b/tests/integration/update_cluster/mixed_instances/kubernetes.tf index 7c304478c9b32..2a47f79b8cefa 100644 --- a/tests/integration/update_cluster/mixed_instances/kubernetes.tf +++ b/tests/integration/update_cluster/mixed_instances/kubernetes.tf @@ -409,11 +409,21 @@ resource "aws_iam_role_policy" "nodes-mixedinstances-example-com" { resource "aws_iam_role" "masters-mixedinstances-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.mixedinstances.example.com_policy") name = "masters.mixedinstances.example.com" + tags = { + "KubernetesCluster" = "mixedinstances.example.com" + "Name" = "masters.mixedinstances.example.com" + "kubernetes.io/cluster/mixedinstances.example.com" = "owned" + } } resource "aws_iam_role" "nodes-mixedinstances-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.mixedinstances.example.com_policy") name = "nodes.mixedinstances.example.com" + tags = { + "KubernetesCluster" = "mixedinstances.example.com" + "Name" = "nodes.mixedinstances.example.com" + "kubernetes.io/cluster/mixedinstances.example.com" = "owned" + } } resource "aws_internet_gateway" "mixedinstances-example-com" { diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 8bca75639daa9..334b4fb52ab43 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1673,7 +1673,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "mixedinstances.example.com" + }, + { + "Key": "Name", + "Value": "masters.mixedinstances.example.com" + }, + { + "Key": "kubernetes.io/cluster/mixedinstances.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesmixedinstancesexamplecom": { @@ -1691,7 +1705,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "mixedinstances.example.com" + }, + { + "Key": "Name", + "Value": "nodes.mixedinstances.example.com" + }, + { + "Key": "kubernetes.io/cluster/mixedinstances.example.com", + "Value": "owned" + } + ] } } } diff --git a/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf b/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf index 1034ae06a40d8..0937295a1d2d6 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf +++ b/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf @@ -409,11 +409,21 @@ resource "aws_iam_role_policy" "nodes-mixedinstances-example-com" { resource "aws_iam_role" "masters-mixedinstances-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.mixedinstances.example.com_policy") name = "masters.mixedinstances.example.com" + tags = { + "KubernetesCluster" = "mixedinstances.example.com" + "Name" = "masters.mixedinstances.example.com" + "kubernetes.io/cluster/mixedinstances.example.com" = "owned" + } } resource "aws_iam_role" "nodes-mixedinstances-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.mixedinstances.example.com_policy") name = "nodes.mixedinstances.example.com" + tags = { + "KubernetesCluster" = "mixedinstances.example.com" + "Name" = "nodes.mixedinstances.example.com" + "kubernetes.io/cluster/mixedinstances.example.com" = "owned" + } } resource "aws_internet_gateway" "mixedinstances-example-com" { diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index f02c21a345cbc..548a8b56b73e8 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1552,7 +1552,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "private-shared-ip.example.com" + }, + { + "Key": "Name", + "Value": "bastions.private-shared-ip.example.com" + }, + { + "Key": "kubernetes.io/cluster/private-shared-ip.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolemastersprivatesharedipexamplecom": { @@ -1570,7 +1584,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "private-shared-ip.example.com" + }, + { + "Key": "Name", + "Value": "masters.private-shared-ip.example.com" + }, + { + "Key": "kubernetes.io/cluster/private-shared-ip.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesprivatesharedipexamplecom": { @@ -1588,7 +1616,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "private-shared-ip.example.com" + }, + { + "Key": "Name", + "Value": "nodes.private-shared-ip.example.com" + }, + { + "Key": "kubernetes.io/cluster/private-shared-ip.example.com", + "Value": "owned" + } + ] } }, "AWSRoute53RecordSetapiprivatesharedipexamplecom": { diff --git a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf index b98ec97ccd3b2..f6e9e7076eba6 100644 --- a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf @@ -366,16 +366,31 @@ resource "aws_iam_role_policy" "nodes-private-shared-ip-example-com" { resource "aws_iam_role" "bastions-private-shared-ip-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.private-shared-ip.example.com_policy") name = "bastions.private-shared-ip.example.com" + tags = { + "KubernetesCluster" = "private-shared-ip.example.com" + "Name" = "bastions.private-shared-ip.example.com" + "kubernetes.io/cluster/private-shared-ip.example.com" = "owned" + } } resource "aws_iam_role" "masters-private-shared-ip-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.private-shared-ip.example.com_policy") name = "masters.private-shared-ip.example.com" + tags = { + "KubernetesCluster" = "private-shared-ip.example.com" + "Name" = "masters.private-shared-ip.example.com" + "kubernetes.io/cluster/private-shared-ip.example.com" = "owned" + } } resource "aws_iam_role" "nodes-private-shared-ip-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.private-shared-ip.example.com_policy") name = "nodes.private-shared-ip.example.com" + tags = { + "KubernetesCluster" = "private-shared-ip.example.com" + "Name" = "nodes.private-shared-ip.example.com" + "kubernetes.io/cluster/private-shared-ip.example.com" = "owned" + } } resource "aws_key_pair" "kubernetes-private-shared-ip-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { diff --git a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf index d3d962f2973ce..58ba03bff5031 100644 --- a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf @@ -361,16 +361,31 @@ resource "aws_iam_role_policy" "nodes-private-shared-subnet-example-com" { resource "aws_iam_role" "bastions-private-shared-subnet-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.private-shared-subnet.example.com_policy") name = "bastions.private-shared-subnet.example.com" + tags = { + "KubernetesCluster" = "private-shared-subnet.example.com" + "Name" = "bastions.private-shared-subnet.example.com" + "kubernetes.io/cluster/private-shared-subnet.example.com" = "owned" + } } resource "aws_iam_role" "masters-private-shared-subnet-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.private-shared-subnet.example.com_policy") name = "masters.private-shared-subnet.example.com" + tags = { + "KubernetesCluster" = "private-shared-subnet.example.com" + "Name" = "masters.private-shared-subnet.example.com" + "kubernetes.io/cluster/private-shared-subnet.example.com" = "owned" + } } resource "aws_iam_role" "nodes-private-shared-subnet-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.private-shared-subnet.example.com_policy") name = "nodes.private-shared-subnet.example.com" + tags = { + "KubernetesCluster" = "private-shared-subnet.example.com" + "Name" = "nodes.private-shared-subnet.example.com" + "kubernetes.io/cluster/private-shared-subnet.example.com" = "owned" + } } resource "aws_key_pair" "kubernetes-private-shared-subnet-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 4c1e362ef9288..6b3780b9a1aa2 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1697,7 +1697,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecalico.example.com" + }, + { + "Key": "Name", + "Value": "bastions.privatecalico.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecalico.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolemastersprivatecalicoexamplecom": { @@ -1715,7 +1729,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecalico.example.com" + }, + { + "Key": "Name", + "Value": "masters.privatecalico.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecalico.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesprivatecalicoexamplecom": { @@ -1733,7 +1761,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecalico.example.com" + }, + { + "Key": "Name", + "Value": "nodes.privatecalico.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecalico.example.com", + "Value": "owned" + } + ] } }, "AWSRoute53RecordSetapiprivatecalicoexamplecom": { diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf index 9532c111fbc4c..54927d24a0b7a 100644 --- a/tests/integration/update_cluster/privatecalico/kubernetes.tf +++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-privatecalico-example-com" { resource "aws_iam_role" "bastions-privatecalico-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatecalico.example.com_policy") name = "bastions.privatecalico.example.com" + tags = { + "KubernetesCluster" = "privatecalico.example.com" + "Name" = "bastions.privatecalico.example.com" + "kubernetes.io/cluster/privatecalico.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatecalico-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatecalico.example.com_policy") name = "masters.privatecalico.example.com" + tags = { + "KubernetesCluster" = "privatecalico.example.com" + "Name" = "masters.privatecalico.example.com" + "kubernetes.io/cluster/privatecalico.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatecalico-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatecalico.example.com_policy") name = "nodes.privatecalico.example.com" + tags = { + "KubernetesCluster" = "privatecalico.example.com" + "Name" = "nodes.privatecalico.example.com" + "kubernetes.io/cluster/privatecalico.example.com" = "owned" + } } resource "aws_internet_gateway" "privatecalico-example-com" { diff --git a/tests/integration/update_cluster/privatecanal/kubernetes.tf b/tests/integration/update_cluster/privatecanal/kubernetes.tf index 8651a925baaaa..a6ce6e312bf57 100644 --- a/tests/integration/update_cluster/privatecanal/kubernetes.tf +++ b/tests/integration/update_cluster/privatecanal/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-privatecanal-example-com" { resource "aws_iam_role" "bastions-privatecanal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatecanal.example.com_policy") name = "bastions.privatecanal.example.com" + tags = { + "KubernetesCluster" = "privatecanal.example.com" + "Name" = "bastions.privatecanal.example.com" + "kubernetes.io/cluster/privatecanal.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatecanal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatecanal.example.com_policy") name = "masters.privatecanal.example.com" + tags = { + "KubernetesCluster" = "privatecanal.example.com" + "Name" = "masters.privatecanal.example.com" + "kubernetes.io/cluster/privatecanal.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatecanal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatecanal.example.com_policy") name = "nodes.privatecanal.example.com" + tags = { + "KubernetesCluster" = "privatecanal.example.com" + "Name" = "nodes.privatecanal.example.com" + "kubernetes.io/cluster/privatecanal.example.com" = "owned" + } } resource "aws_internet_gateway" "privatecanal-example-com" { diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 0ae4850998c2b..150acbb0ace8a 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1683,7 +1683,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecilium.example.com" + }, + { + "Key": "Name", + "Value": "bastions.privatecilium.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecilium.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolemastersprivateciliumexamplecom": { @@ -1701,7 +1715,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecilium.example.com" + }, + { + "Key": "Name", + "Value": "masters.privatecilium.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecilium.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesprivateciliumexamplecom": { @@ -1719,7 +1747,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecilium.example.com" + }, + { + "Key": "Name", + "Value": "nodes.privatecilium.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecilium.example.com", + "Value": "owned" + } + ] } }, "AWSRoute53RecordSetapiprivateciliumexamplecom": { diff --git a/tests/integration/update_cluster/privatecilium/kubernetes.tf b/tests/integration/update_cluster/privatecilium/kubernetes.tf index bcaf35d7961d0..7e5f8d3585f0f 100644 --- a/tests/integration/update_cluster/privatecilium/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-privatecilium-example-com" { resource "aws_iam_role" "bastions-privatecilium-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatecilium.example.com_policy") name = "bastions.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "bastions.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatecilium-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatecilium.example.com_policy") name = "masters.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "masters.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatecilium-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatecilium.example.com_policy") name = "nodes.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "nodes.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } } resource "aws_internet_gateway" "privatecilium-example-com" { diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 0ae4850998c2b..150acbb0ace8a 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1683,7 +1683,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecilium.example.com" + }, + { + "Key": "Name", + "Value": "bastions.privatecilium.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecilium.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolemastersprivateciliumexamplecom": { @@ -1701,7 +1715,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecilium.example.com" + }, + { + "Key": "Name", + "Value": "masters.privatecilium.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecilium.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesprivateciliumexamplecom": { @@ -1719,7 +1747,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privatecilium.example.com" + }, + { + "Key": "Name", + "Value": "nodes.privatecilium.example.com" + }, + { + "Key": "kubernetes.io/cluster/privatecilium.example.com", + "Value": "owned" + } + ] } }, "AWSRoute53RecordSetapiprivateciliumexamplecom": { diff --git a/tests/integration/update_cluster/privatecilium2/kubernetes.tf b/tests/integration/update_cluster/privatecilium2/kubernetes.tf index bcaf35d7961d0..7e5f8d3585f0f 100644 --- a/tests/integration/update_cluster/privatecilium2/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium2/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-privatecilium-example-com" { resource "aws_iam_role" "bastions-privatecilium-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatecilium.example.com_policy") name = "bastions.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "bastions.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatecilium-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatecilium.example.com_policy") name = "masters.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "masters.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatecilium-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatecilium.example.com_policy") name = "nodes.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "nodes.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } } resource "aws_internet_gateway" "privatecilium-example-com" { diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 3165c26d73373..f870fcc98c086 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1734,7 +1734,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privateciliumadvanced.example.com" + }, + { + "Key": "Name", + "Value": "bastions.privateciliumadvanced.example.com" + }, + { + "Key": "kubernetes.io/cluster/privateciliumadvanced.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolemastersprivateciliumadvancedexamplecom": { @@ -1752,7 +1766,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privateciliumadvanced.example.com" + }, + { + "Key": "Name", + "Value": "masters.privateciliumadvanced.example.com" + }, + { + "Key": "kubernetes.io/cluster/privateciliumadvanced.example.com", + "Value": "owned" + } + ] } }, "AWSIAMRolenodesprivateciliumadvancedexamplecom": { @@ -1770,7 +1798,21 @@ } ], "Version": "2012-10-17" - } + }, + "Tags": [ + { + "Key": "KubernetesCluster", + "Value": "privateciliumadvanced.example.com" + }, + { + "Key": "Name", + "Value": "nodes.privateciliumadvanced.example.com" + }, + { + "Key": "kubernetes.io/cluster/privateciliumadvanced.example.com", + "Value": "owned" + } + ] } }, "AWSRoute53RecordSetapiprivateciliumadvancedexamplecom": { diff --git a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf index e21946fffb5b3..e877adf59f175 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf +++ b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf @@ -394,16 +394,31 @@ resource "aws_iam_role_policy" "nodes-privateciliumadvanced-example-com" { resource "aws_iam_role" "bastions-privateciliumadvanced-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privateciliumadvanced.example.com_policy") name = "bastions.privateciliumadvanced.example.com" + tags = { + "KubernetesCluster" = "privateciliumadvanced.example.com" + "Name" = "bastions.privateciliumadvanced.example.com" + "kubernetes.io/cluster/privateciliumadvanced.example.com" = "owned" + } } resource "aws_iam_role" "masters-privateciliumadvanced-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privateciliumadvanced.example.com_policy") name = "masters.privateciliumadvanced.example.com" + tags = { + "KubernetesCluster" = "privateciliumadvanced.example.com" + "Name" = "masters.privateciliumadvanced.example.com" + "kubernetes.io/cluster/privateciliumadvanced.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privateciliumadvanced-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privateciliumadvanced.example.com_policy") name = "nodes.privateciliumadvanced.example.com" + tags = { + "KubernetesCluster" = "privateciliumadvanced.example.com" + "Name" = "nodes.privateciliumadvanced.example.com" + "kubernetes.io/cluster/privateciliumadvanced.example.com" = "owned" + } } resource "aws_internet_gateway" "privateciliumadvanced-example-com" { diff --git a/tests/integration/update_cluster/privatedns1/kubernetes.tf b/tests/integration/update_cluster/privatedns1/kubernetes.tf index 76e0b02461dd6..844116ce09ec6 100644 --- a/tests/integration/update_cluster/privatedns1/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns1/kubernetes.tf @@ -420,16 +420,37 @@ resource "aws_iam_role_policy" "nodes-privatedns1-example-com" { resource "aws_iam_role" "bastions-privatedns1-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatedns1.example.com_policy") name = "bastions.privatedns1.example.com" + tags = { + "KubernetesCluster" = "privatedns1.example.com" + "Name" = "bastions.privatedns1.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/privatedns1.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatedns1-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatedns1.example.com_policy") name = "masters.privatedns1.example.com" + tags = { + "KubernetesCluster" = "privatedns1.example.com" + "Name" = "masters.privatedns1.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/privatedns1.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatedns1-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatedns1.example.com_policy") name = "nodes.privatedns1.example.com" + tags = { + "KubernetesCluster" = "privatedns1.example.com" + "Name" = "nodes.privatedns1.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/privatedns1.example.com" = "owned" + } } resource "aws_internet_gateway" "privatedns1-example-com" { diff --git a/tests/integration/update_cluster/privatedns2/kubernetes.tf b/tests/integration/update_cluster/privatedns2/kubernetes.tf index bfb289c5225ca..c44541f9b190e 100644 --- a/tests/integration/update_cluster/privatedns2/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns2/kubernetes.tf @@ -375,16 +375,31 @@ resource "aws_iam_role_policy" "nodes-privatedns2-example-com" { resource "aws_iam_role" "bastions-privatedns2-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatedns2.example.com_policy") name = "bastions.privatedns2.example.com" + tags = { + "KubernetesCluster" = "privatedns2.example.com" + "Name" = "bastions.privatedns2.example.com" + "kubernetes.io/cluster/privatedns2.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatedns2-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatedns2.example.com_policy") name = "masters.privatedns2.example.com" + tags = { + "KubernetesCluster" = "privatedns2.example.com" + "Name" = "masters.privatedns2.example.com" + "kubernetes.io/cluster/privatedns2.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatedns2-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatedns2.example.com_policy") name = "nodes.privatedns2.example.com" + tags = { + "KubernetesCluster" = "privatedns2.example.com" + "Name" = "nodes.privatedns2.example.com" + "kubernetes.io/cluster/privatedns2.example.com" = "owned" + } } resource "aws_key_pair" "kubernetes-privatedns2-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { diff --git a/tests/integration/update_cluster/privateflannel/kubernetes.tf b/tests/integration/update_cluster/privateflannel/kubernetes.tf index 277dcbdcb50d2..57749086bc01a 100644 --- a/tests/integration/update_cluster/privateflannel/kubernetes.tf +++ b/tests/integration/update_cluster/privateflannel/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-privateflannel-example-com" { resource "aws_iam_role" "bastions-privateflannel-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privateflannel.example.com_policy") name = "bastions.privateflannel.example.com" + tags = { + "KubernetesCluster" = "privateflannel.example.com" + "Name" = "bastions.privateflannel.example.com" + "kubernetes.io/cluster/privateflannel.example.com" = "owned" + } } resource "aws_iam_role" "masters-privateflannel-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privateflannel.example.com_policy") name = "masters.privateflannel.example.com" + tags = { + "KubernetesCluster" = "privateflannel.example.com" + "Name" = "masters.privateflannel.example.com" + "kubernetes.io/cluster/privateflannel.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privateflannel-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privateflannel.example.com_policy") name = "nodes.privateflannel.example.com" + tags = { + "KubernetesCluster" = "privateflannel.example.com" + "Name" = "nodes.privateflannel.example.com" + "kubernetes.io/cluster/privateflannel.example.com" = "owned" + } } resource "aws_internet_gateway" "privateflannel-example-com" { diff --git a/tests/integration/update_cluster/privatekopeio/kubernetes.tf b/tests/integration/update_cluster/privatekopeio/kubernetes.tf index 50985fc0ac8f8..09872f6c35891 100644 --- a/tests/integration/update_cluster/privatekopeio/kubernetes.tf +++ b/tests/integration/update_cluster/privatekopeio/kubernetes.tf @@ -386,16 +386,31 @@ resource "aws_iam_role_policy" "nodes-privatekopeio-example-com" { resource "aws_iam_role" "bastions-privatekopeio-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privatekopeio.example.com_policy") name = "bastions.privatekopeio.example.com" + tags = { + "KubernetesCluster" = "privatekopeio.example.com" + "Name" = "bastions.privatekopeio.example.com" + "kubernetes.io/cluster/privatekopeio.example.com" = "owned" + } } resource "aws_iam_role" "masters-privatekopeio-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privatekopeio.example.com_policy") name = "masters.privatekopeio.example.com" + tags = { + "KubernetesCluster" = "privatekopeio.example.com" + "Name" = "masters.privatekopeio.example.com" + "kubernetes.io/cluster/privatekopeio.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privatekopeio-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privatekopeio.example.com_policy") name = "nodes.privatekopeio.example.com" + tags = { + "KubernetesCluster" = "privatekopeio.example.com" + "Name" = "nodes.privatekopeio.example.com" + "kubernetes.io/cluster/privatekopeio.example.com" = "owned" + } } resource "aws_internet_gateway" "privatekopeio-example-com" { diff --git a/tests/integration/update_cluster/privateweave/kubernetes.tf b/tests/integration/update_cluster/privateweave/kubernetes.tf index 2e984ce69a53f..532ce110c2598 100644 --- a/tests/integration/update_cluster/privateweave/kubernetes.tf +++ b/tests/integration/update_cluster/privateweave/kubernetes.tf @@ -380,16 +380,31 @@ resource "aws_iam_role_policy" "nodes-privateweave-example-com" { resource "aws_iam_role" "bastions-privateweave-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.privateweave.example.com_policy") name = "bastions.privateweave.example.com" + tags = { + "KubernetesCluster" = "privateweave.example.com" + "Name" = "bastions.privateweave.example.com" + "kubernetes.io/cluster/privateweave.example.com" = "owned" + } } resource "aws_iam_role" "masters-privateweave-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.privateweave.example.com_policy") name = "masters.privateweave.example.com" + tags = { + "KubernetesCluster" = "privateweave.example.com" + "Name" = "masters.privateweave.example.com" + "kubernetes.io/cluster/privateweave.example.com" = "owned" + } } resource "aws_iam_role" "nodes-privateweave-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.privateweave.example.com_policy") name = "nodes.privateweave.example.com" + tags = { + "KubernetesCluster" = "privateweave.example.com" + "Name" = "nodes.privateweave.example.com" + "kubernetes.io/cluster/privateweave.example.com" = "owned" + } } resource "aws_internet_gateway" "privateweave-example-com" { diff --git a/tests/integration/update_cluster/public-jwks/kubernetes.tf b/tests/integration/update_cluster/public-jwks/kubernetes.tf index 698496a45047f..3bc8a2eb77551 100644 --- a/tests/integration/update_cluster/public-jwks/kubernetes.tf +++ b/tests/integration/update_cluster/public-jwks/kubernetes.tf @@ -251,16 +251,31 @@ resource "aws_iam_role_policy" "nodes-minimal-example-com" { resource "aws_iam_role" "dns-controller-kube-system-sa-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_dns-controller.kube-system.sa.minimal.example.com_policy") name = "dns-controller.kube-system.sa.minimal.example.com" + tags = { + "KubernetesCluster" = "minimal.example.com" + "Name" = "dns-controller.kube-system.sa.minimal.example.com" + "kubernetes.io/cluster/minimal.example.com" = "owned" + } } resource "aws_iam_role" "masters-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.minimal.example.com_policy") name = "masters.minimal.example.com" + tags = { + "KubernetesCluster" = "minimal.example.com" + "Name" = "masters.minimal.example.com" + "kubernetes.io/cluster/minimal.example.com" = "owned" + } } resource "aws_iam_role" "nodes-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.minimal.example.com_policy") name = "nodes.minimal.example.com" + tags = { + "KubernetesCluster" = "minimal.example.com" + "Name" = "nodes.minimal.example.com" + "kubernetes.io/cluster/minimal.example.com" = "owned" + } } resource "aws_internet_gateway" "minimal-example-com" { diff --git a/tests/integration/update_cluster/shared_subnet/kubernetes.tf b/tests/integration/update_cluster/shared_subnet/kubernetes.tf index a6fa2fd7f60d8..cdf310002bb16 100644 --- a/tests/integration/update_cluster/shared_subnet/kubernetes.tf +++ b/tests/integration/update_cluster/shared_subnet/kubernetes.tf @@ -224,11 +224,21 @@ resource "aws_iam_role_policy" "nodes-sharedsubnet-example-com" { resource "aws_iam_role" "masters-sharedsubnet-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.sharedsubnet.example.com_policy") name = "masters.sharedsubnet.example.com" + tags = { + "KubernetesCluster" = "sharedsubnet.example.com" + "Name" = "masters.sharedsubnet.example.com" + "kubernetes.io/cluster/sharedsubnet.example.com" = "owned" + } } resource "aws_iam_role" "nodes-sharedsubnet-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.sharedsubnet.example.com_policy") name = "nodes.sharedsubnet.example.com" + tags = { + "KubernetesCluster" = "sharedsubnet.example.com" + "Name" = "nodes.sharedsubnet.example.com" + "kubernetes.io/cluster/sharedsubnet.example.com" = "owned" + } } resource "aws_key_pair" "kubernetes-sharedsubnet-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { diff --git a/tests/integration/update_cluster/shared_vpc/kubernetes.tf b/tests/integration/update_cluster/shared_vpc/kubernetes.tf index a3d973bb298cf..8cc61a7d7b8e5 100644 --- a/tests/integration/update_cluster/shared_vpc/kubernetes.tf +++ b/tests/integration/update_cluster/shared_vpc/kubernetes.tf @@ -224,11 +224,21 @@ resource "aws_iam_role_policy" "nodes-sharedvpc-example-com" { resource "aws_iam_role" "masters-sharedvpc-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.sharedvpc.example.com_policy") name = "masters.sharedvpc.example.com" + tags = { + "KubernetesCluster" = "sharedvpc.example.com" + "Name" = "masters.sharedvpc.example.com" + "kubernetes.io/cluster/sharedvpc.example.com" = "owned" + } } resource "aws_iam_role" "nodes-sharedvpc-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.sharedvpc.example.com_policy") name = "nodes.sharedvpc.example.com" + tags = { + "KubernetesCluster" = "sharedvpc.example.com" + "Name" = "nodes.sharedvpc.example.com" + "kubernetes.io/cluster/sharedvpc.example.com" = "owned" + } } resource "aws_key_pair" "kubernetes-sharedvpc-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { diff --git a/tests/integration/update_cluster/unmanaged/kubernetes.tf b/tests/integration/update_cluster/unmanaged/kubernetes.tf index 5daab61f3c4d2..8848eaec17079 100644 --- a/tests/integration/update_cluster/unmanaged/kubernetes.tf +++ b/tests/integration/update_cluster/unmanaged/kubernetes.tf @@ -366,16 +366,31 @@ resource "aws_iam_role_policy" "nodes-unmanaged-example-com" { resource "aws_iam_role" "bastions-unmanaged-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_bastions.unmanaged.example.com_policy") name = "bastions.unmanaged.example.com" + tags = { + "KubernetesCluster" = "unmanaged.example.com" + "Name" = "bastions.unmanaged.example.com" + "kubernetes.io/cluster/unmanaged.example.com" = "owned" + } } resource "aws_iam_role" "masters-unmanaged-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.unmanaged.example.com_policy") name = "masters.unmanaged.example.com" + tags = { + "KubernetesCluster" = "unmanaged.example.com" + "Name" = "masters.unmanaged.example.com" + "kubernetes.io/cluster/unmanaged.example.com" = "owned" + } } resource "aws_iam_role" "nodes-unmanaged-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_nodes.unmanaged.example.com_policy") name = "nodes.unmanaged.example.com" + tags = { + "KubernetesCluster" = "unmanaged.example.com" + "Name" = "nodes.unmanaged.example.com" + "kubernetes.io/cluster/unmanaged.example.com" = "owned" + } } resource "aws_key_pair" "kubernetes-unmanaged-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { diff --git a/upup/pkg/fi/cloudup/awstasks/iamrole.go b/upup/pkg/fi/cloudup/awstasks/iamrole.go index 8fcead88deb20..e00200b01cf7e 100644 --- a/upup/pkg/fi/cloudup/awstasks/iamrole.go +++ b/upup/pkg/fi/cloudup/awstasks/iamrole.go @@ -44,6 +44,8 @@ type IAMRole struct { RolePolicyDocument fi.Resource // "inline" IAM policy PermissionsBoundary *string + Tags map[string]string + // ExportWithId will expose the name & ARN for reuse as part of a larger system. Only supported by terraform currently. ExportWithID *string } @@ -110,6 +112,7 @@ func (e *IAMRole) Find(c *fi.Context) (*IAMRole, error) { actual.RolePolicyDocument = fi.NewStringResource(actualPolicy) } + actual.Tags = mapIAMTagsToMap(r.Tags) klog.V(2).Infof("found matching IAMRole %q", aws.StringValue(actual.ID)) e.ID = actual.ID @@ -150,6 +153,7 @@ func (_ *IAMRole) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMRole) error request := &iam.CreateRoleInput{} request.AssumeRolePolicyDocument = aws.String(policy) request.RoleName = e.Name + request.Tags = mapToIAMTags(e.Tags) if e.PermissionsBoundary != nil { request.PermissionsBoundary = e.PermissionsBoundary @@ -215,7 +219,32 @@ func (_ *IAMRole) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAMRole) error return fmt.Errorf("error updating IAMRole: %v", err) } } - + } + if changes.Tags != nil { + if len(a.Tags) > 0 { + existingTagKeys := make([]*string, 0) + for k := range a.Tags { + existingTagKeys = append(existingTagKeys, &k) + } + untagRequest := &iam.UntagRoleInput{ + RoleName: e.Name, + TagKeys: existingTagKeys, + } + _, err = t.Cloud.IAM().UntagRole(untagRequest) + if err != nil { + return fmt.Errorf("error untagging IAMRole: %v", err) + } + } + if len(e.Tags) > 0 { + tagRequest := &iam.TagRoleInput{ + RoleName: e.Name, + Tags: mapToIAMTags(e.Tags), + } + _, err = t.Cloud.IAM().TagRole(tagRequest) + if err != nil { + return fmt.Errorf("error tagging IAMRole: %v", err) + } + } } } @@ -227,6 +256,7 @@ type terraformIAMRole struct { Name *string `json:"name" cty:"name"` AssumeRolePolicy *terraform.Literal `json:"assume_role_policy" cty:"assume_role_policy"` PermissionsBoundary *string `json:"permissions_boundary,omitempty" cty:"permissions_boundary"` + Tags map[string]string `json:"tags,omitempty" cty:"tags"` } func (_ *IAMRole) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *IAMRole) error { @@ -238,6 +268,7 @@ func (_ *IAMRole) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *I tf := &terraformIAMRole{ Name: e.Name, AssumeRolePolicy: policy, + Tags: e.Tags, } if e.PermissionsBoundary != nil { @@ -259,7 +290,8 @@ func (e *IAMRole) TerraformLink() *terraform.Literal { type cloudformationIAMRole struct { RoleName *string `json:"RoleName"` AssumeRolePolicyDocument map[string]interface{} - PermissionsBoundary *string `json:"PermissionsBoundary,omitempty"` + PermissionsBoundary *string `json:"PermissionsBoundary,omitempty"` + Tags []cloudformationTag `json:"Tags,omitempty"` } func (_ *IAMRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *IAMRole) error { @@ -277,6 +309,7 @@ func (_ *IAMRole) RenderCloudformation(t *cloudformation.CloudformationTarget, a cf := &cloudformationIAMRole{ RoleName: e.Name, AssumeRolePolicyDocument: data, + Tags: buildCloudformationTags(e.Tags), } if e.PermissionsBoundary != nil { diff --git a/upup/pkg/fi/cloudup/awstasks/tags.go b/upup/pkg/fi/cloudup/awstasks/tags.go index d63f72ec45dfb..3627c92c01944 100644 --- a/upup/pkg/fi/cloudup/awstasks/tags.go +++ b/upup/pkg/fi/cloudup/awstasks/tags.go @@ -21,6 +21,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" + "github.com/aws/aws-sdk-go/service/iam" ) func mapEC2TagsToMap(tags []*ec2.Tag) map[string]string { @@ -37,6 +38,34 @@ func mapEC2TagsToMap(tags []*ec2.Tag) map[string]string { return m } +func mapIAMTagsToMap(tags []*iam.Tag) map[string]string { + if tags == nil { + return nil + } + m := make(map[string]string) + for _, t := range tags { + if strings.HasPrefix(aws.StringValue(t.Key), "aws:cloudformation:") { + continue + } + m[aws.StringValue(t.Key)] = aws.StringValue(t.Value) + } + return m +} + +func mapToIAMTags(tags map[string]string) []*iam.Tag { + if tags == nil { + return nil + } + m := make([]*iam.Tag, 0) + for k, v := range tags { + m = append(m, &iam.Tag{ + Key: aws.String(k), + Value: aws.String(v), + }) + } + return m +} + func findNameTag(tags []*ec2.Tag) *string { for _, tag := range tags { if aws.StringValue(tag.Key) == "Name" {