Fix bug where AWS IAM roles could be created for a particular workloa…

…d even when disabled for that particular workload (#549)
otterize · Jan 22, 2025 · 56ba685 · 56ba685
1 parent b18fa88
commit 56ba685
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 13 deletions.
diff --git a/.../intents_reconcilers/iam/iampolicyagents/awspolicyagent/multi_account_aws_policy_agent.go b/.../intents_reconcilers/iam/iampolicyagents/awspolicyagent/multi_account_aws_policy_agent.go
@@ -3,7 +3,6 @@ package awspolicyagent
 import (
 	"context"
 	otterizev2alpha1 "github.com/otterize/intents-operator/src/operator/api/v2alpha1"
-	"github.com/otterize/intents-operator/src/shared/awsagent"
 	"github.com/otterize/intents-operator/src/shared/awsagent/multi_account_aws_agent"
 	"github.com/otterize/intents-operator/src/shared/errors"
 	"github.com/otterize/intents-operator/src/shared/operatorconfig"
@@ -27,7 +26,7 @@ func (m *MultiaccountAWSPolicyAgent) IntentType() otterizev2alpha1.IntentType {
 }
 
 func (m *MultiaccountAWSPolicyAgent) AppliesOnPod(pod *corev1.Pod) bool {
-	return awsagent.AppliesOnPod(pod)
+	return multi_account_aws_agent.AppliesOnPod(pod)
 }
 
 func (m *MultiaccountAWSPolicyAgent) AddRolePolicyFromIntents(ctx context.Context, namespace string, accountName string, intentsServiceName string, intents []otterizev2alpha1.Target, pod corev1.Pod) error {

diff --git a/src/shared/awsagent/agent.go b/src/shared/awsagent/agent.go
@@ -95,7 +95,7 @@ type Agent struct {
 	profileCacheOnce    sync.Once
 }
 
-const ApplyOnPodLabel = "credentials-operator.otterize.com/create-aws-role"
+const AWSApplyOnPodLabel = "credentials-operator.otterize.com/create-aws-role"
 
 // ServiceAccountAWSAccountIDAnnotation is used by Otterize to indicate that this service account should result in a role in the specified AWS account.
 const ServiceAccountAWSAccountIDAnnotation = "credentials-operator.otterize.com/aws-account"
@@ -113,15 +113,7 @@ func WithSoftDeleteStrategy() Option {
 }
 
 func (a *Agent) AppliesOnPod(pod *corev1.Pod) bool {
-	return AppliesOnPod(pod)
-}
-
-func AppliesOnPod(pod *corev1.Pod) bool {
-	if pod.Labels == nil {
-		return false
-	}
-	_, foundLabel := pod.Labels[ApplyOnPodLabel]
-	return foundLabel
+	return pod.Labels != nil && pod.Labels[AWSApplyOnPodLabel] == "true"
 }
 
 func WithRolesAnywhere(account operatorconfig.AWSAccount, clusterName string, keyPath string, certPath string) Option {

diff --git a/src/shared/awsagent/multi_account_aws_agent/account_getters.go b/src/shared/awsagent/multi_account_aws_agent/account_getters.go
@@ -3,10 +3,22 @@ package multi_account_aws_agent
 import (
 	"github.com/otterize/intents-operator/src/shared/awsagent"
 	corev1 "k8s.io/api/core/v1"
+	"regexp"
 )
 
+var AWSAccountIDRegex = regexp.MustCompile(`^(\d{12})$`)
+
+func AppliesOnPod(pod *corev1.Pod) bool {
+	if pod.Labels == nil {
+		return false
+	}
+	value, found := pod.Labels[awsagent.AWSApplyOnPodLabel]
+	// in multi-account-mode, the 'ApplyOnPodLabel' is used to specify the account ID
+	return found && AWSAccountIDRegex.MatchString(value)
+}
+
 func AccountFromPod(pod *corev1.Pod) (string, bool) {
-	value, found := pod.Labels[awsagent.ApplyOnPodLabel]
+	value, found := pod.Labels[awsagent.AWSApplyOnPodLabel]
 	if !found {
 		return "", false
 	}