Skip to content

Commit

Permalink
Tag S3 bucket as owned by cluster
Browse files Browse the repository at this point in the history
  • Loading branch information
AndiDog committed Sep 26, 2023
1 parent 76e369a commit 722abcd
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
"s3:PutObject",
"s3:DeleteObject",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
},
})
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,7 @@ Resources:
- s3:PutObject
- s3:DeleteObject
- s3:PutBucketPolicy
- s3:PutBucketTagging
Effect: Allow
Resource:
- arn:*:s3:::cluster-api-provider-aws-*
Expand Down
38 changes: 38 additions & 0 deletions pkg/cloud/services/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"github.com/aws/aws-sdk-go/service/sts/stsiface"
"github.com/pkg/errors"

infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
iam "sigs.k8s.io/cluster-api-provider-aws/v2/iam/api/v1beta1"
"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
"sigs.k8s.io/cluster-api-provider-aws/v2/util/system"
Expand Down Expand Up @@ -68,6 +69,10 @@ func (s *Service) ReconcileBucket() error {
return errors.Wrap(err, "ensuring bucket exists")
}

if err := s.tagBucket(bucketName); err != nil {
return errors.Wrap(err, "tagging bucket")
}

if err := s.ensureBucketPolicy(bucketName); err != nil {
return errors.Wrap(err, "ensuring bucket policy")
}
Expand Down Expand Up @@ -230,6 +235,39 @@ func (s *Service) ensureBucketPolicy(bucketName string) error {
return nil
}

func (s *Service) tagBucket(bucketName string) error {
taggingInput := &s3.PutBucketTaggingInput{
Bucket: aws.String(bucketName),
Tagging: &s3.Tagging{
TagSet: nil,
},
}

tags := infrav1.Build(infrav1.BuildParams{
ClusterName: s.scope.Name(),
Lifecycle: infrav1.ResourceLifecycleOwned,
Name: nil,
Role: aws.String("node"),
Additional: nil,
})

for key, value := range tags {
taggingInput.Tagging.TagSet = append(taggingInput.Tagging.TagSet, &s3.Tag{
Key: aws.String(key),
Value: aws.String(value),
})
}

_, err := s.S3Client.PutBucketTagging(taggingInput)
if err != nil {
return err
}

s.scope.Trace("Tagged bucket", "bucket_name", bucketName)

return nil
}

func (s *Service) bucketPolicy(bucketName string) (string, error) {
accountID, err := s.STSClient.GetCallerIdentity(&sts.GetCallerIdentityInput{})
if err != nil {
Expand Down
25 changes: 25 additions & 0 deletions pkg/cloud/services/s3/s3_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,25 @@ func TestReconcileBucket(t *testing.T) {
}

s3Mock.EXPECT().CreateBucket(gomock.Eq(input)).Return(nil, nil).Times(1)

taggingInput := &s3svc.PutBucketTaggingInput{
Bucket: aws.String(expectedBucketName),
Tagging: &s3svc.Tagging{
TagSet: []*s3svc.Tag{
{
Key: aws.String("sigs.k8s.io/cluster-api-provider-aws/cluster/test-cluster"),
Value: aws.String("owned"),
},
{
Key: aws.String("sigs.k8s.io/cluster-api-provider-aws/role"),
Value: aws.String("node"),
},
},
},
}

s3Mock.EXPECT().PutBucketTagging(gomock.Eq(taggingInput)).Return(nil, nil).Times(1)

s3Mock.EXPECT().PutBucketPolicy(gomock.Any()).Return(nil, nil).Times(1)

if err := svc.ReconcileBucket(); err != nil {
Expand Down Expand Up @@ -129,6 +148,7 @@ func TestReconcileBucket(t *testing.T) {
}
}).Return(nil, nil).Times(1)

s3Mock.EXPECT().PutBucketTagging(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketPolicy(gomock.Any()).Return(nil, nil).Times(1)

if err := svc.ReconcileBucket(); err != nil {
Expand All @@ -150,6 +170,7 @@ func TestReconcileBucket(t *testing.T) {
})

s3Mock.EXPECT().CreateBucket(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketTagging(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketPolicy(gomock.Any()).Do(func(input *s3svc.PutBucketPolicyInput) {
if input.Policy == nil {
t.Fatalf("Policy must be defined")
Expand Down Expand Up @@ -189,6 +210,7 @@ func TestReconcileBucket(t *testing.T) {
svc, s3Mock := testService(t, &infrav1.S3Bucket{})

s3Mock.EXPECT().CreateBucket(gomock.Any()).Return(nil, nil).Times(2)
s3Mock.EXPECT().PutBucketTagging(gomock.Any()).Return(nil, nil).Times(2)
s3Mock.EXPECT().PutBucketPolicy(gomock.Any()).Return(nil, nil).Times(2)

if err := svc.ReconcileBucket(); err != nil {
Expand All @@ -208,6 +230,7 @@ func TestReconcileBucket(t *testing.T) {
err := awserr.New(s3svc.ErrCodeBucketAlreadyOwnedByYou, "err", errors.New("err"))

s3Mock.EXPECT().CreateBucket(gomock.Any()).Return(nil, err).Times(1)
s3Mock.EXPECT().PutBucketTagging(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketPolicy(gomock.Any()).Return(nil, nil).Times(1)

if err := svc.ReconcileBucket(); err != nil {
Expand Down Expand Up @@ -248,6 +271,7 @@ func TestReconcileBucket(t *testing.T) {
svc, s3Mock := testService(t, &infrav1.S3Bucket{})

s3Mock.EXPECT().CreateBucket(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketTagging(gomock.Any()).Return(nil, nil).Times(1)

mockCtrl := gomock.NewController(t)
stsMock := mock_stsiface.NewMockSTSAPI(mockCtrl)
Expand All @@ -265,6 +289,7 @@ func TestReconcileBucket(t *testing.T) {
svc, s3Mock := testService(t, &infrav1.S3Bucket{})

s3Mock.EXPECT().CreateBucket(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketTagging(gomock.Any()).Return(nil, nil).Times(1)
s3Mock.EXPECT().PutBucketPolicy(gomock.Any()).Return(nil, errors.New("error")).Times(1)

if err := svc.ReconcileBucket(); err == nil {
Expand Down

0 comments on commit 722abcd

Please sign in to comment.