Merge pull request #7715 from timandy/main

Fix arn build logic to support different aws partitions
eksctl-io · Apr 23, 2024 · a6bc072 · a6bc072
2 parents ce836e8 + 940b4bd
commit a6bc072
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/pkg/actions/karpenter/create.go b/pkg/actions/karpenter/create.go
@@ -44,8 +44,8 @@ func (i *Installer) Create(ctx context.Context) error {
 	// Because we prefix with eksctl and to avoid having to get the name again,
 	// we always pass in the name and overwrite with the service account label.
 	roleName := fmt.Sprintf("eksctl-%s-iamservice-role", i.Config.Metadata.Name)
-	roleARN := fmt.Sprintf("arn:aws:iam::%s:role/%s", parsedARN.AccountID, roleName)
-	policyArn := fmt.Sprintf("arn:aws:iam::%s:policy/eksctl-%s-%s", parsedARN.AccountID, builder.KarpenterManagedPolicy, i.Config.Metadata.Name)
+	roleARN := fmt.Sprintf("arn:%s:iam::%s:role/%s", parsedARN.Partition, parsedARN.AccountID, roleName)
+	policyArn := fmt.Sprintf("arn:%s:iam::%s:policy/eksctl-%s-%s", parsedARN.Partition, parsedARN.AccountID, builder.KarpenterManagedPolicy, i.Config.Metadata.Name)
 	iamServiceAccount := &api.ClusterIAMServiceAccount{
 		ClusterIAMMeta: api.ClusterIAMMeta{
 			Name:      karpenter.DefaultServiceAccountName,
@@ -69,7 +69,7 @@ func (i *Installer) Create(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("failed to create client for auth config: %w", err)
 	}
-	identityArn := fmt.Sprintf("arn:aws:iam::%s:role/eksctl-%s-%s", parsedARN.AccountID, builder.KarpenterNodeRoleName, i.Config.Metadata.Name)
+	identityArn := fmt.Sprintf("arn:%s:iam::%s:role/eksctl-%s-%s", parsedARN.Partition, parsedARN.AccountID, builder.KarpenterNodeRoleName, i.Config.Metadata.Name)
 	id, err := iam.NewIdentity(identityArn, authconfigmap.RoleNodeGroupUsername, authconfigmap.RoleNodeGroupGroups)
 	if err != nil {
 		return fmt.Errorf("failed to create new identity: %w", err)

diff --git a/pkg/cfn/builder/fargate.go b/pkg/cfn/builder/fargate.go
@@ -112,7 +112,7 @@ func makeSourceArnCondition(cfg *api.ClusterConfig) (cft.MapOfInterfaces, error)
 	}
 	return cft.MapOfInterfaces{
 		"ArnLike": cft.MapOfInterfaces{
-			"aws:SourceArn": fmt.Sprintf("arn:aws:eks:%s:%s:fargateprofile/%s/*", cfg.Metadata.Region, accountID, cfg.Metadata.Name),
+			"aws:SourceArn": fmt.Sprintf("arn:%s:eks:%s:%s:fargateprofile/%s/*", api.Partitions.ForRegion(cfg.Metadata.Region), cfg.Metadata.Region, accountID, cfg.Metadata.Name),
 		},
 	}, nil
 }

diff --git a/pkg/connector/connector.go b/pkg/connector/connector.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"fmt"
 	"strings"
 	"time"
 
@@ -346,7 +347,7 @@ func (c *EKSConnector) createConnectorRole(ctx context.Context, cluster External
 	_, err = c.Provider.IAM().PutRolePolicy(ctx, &iam.PutRolePolicyInput{
 		RoleName:   roleName,
 		PolicyName: aws.String(connectorPolicyName),
-		PolicyDocument: aws.String(`{
+		PolicyDocument: aws.String(fmt.Sprintf(`{
 	  "Version": "2012-10-17",
 	  "Statement": [
 	    {
@@ -355,7 +356,7 @@ func (c *EKSConnector) createConnectorRole(ctx context.Context, cluster External
 	      "Action": [
 	        "ssmmessages:CreateControlChannel"
 	      ],
-	      "Resource": "arn:aws:eks:*:*:cluster/*"
+	      "Resource": "arn:%s:eks:*:*:cluster/*"
 	    },
 	    {
 	      "Sid": "ssmDataplaneOperations",
@@ -368,7 +369,7 @@ func (c *EKSConnector) createConnectorRole(ctx context.Context, cluster External
 	      "Resource": "*"
 	    }
 	  ]
-	}`),
+	}`, api.Partitions.ForRegion(c.Provider.Region()))),
 	})
 
 	if err != nil {