Merge "aws: add support for attaching instance profiles"

2020-07-01 23:43:47 +00:00 · 2020-07-01 23:43:47 +00:00 · 369799dea6
commit 369799dea6
parent ef4242c2fb 2d59dc461c
5 changed files with 57 additions and 0 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -1715,6 +1715,8 @@ section of the configuration.
               - name: debian9
                 cloud-image: debian9
                 instance-type: t3.medium
+                 iam-instance-profile:
+                   arn: arn:aws:iam::123456789012:instance-profile/s3-read-only
                 key-name: zuul
                 tags:
                   key1: value1
@ -1941,6 +1943,22 @@ section of the configuration.

              Name of the flavor to use.

+           .. attr:: iam-instance-profile
+              :type: dict
+
+              Used to attach an iam instance profile.
+              Useful for giving access to services without needing any secrets.
+
+              .. attr:: name
+
+                 Name of the instance profile.
+                 Mutually exclusive with :attr:`providers.[aws].pools.labels.iam-instance-profile.arn`
+
+              .. attr:: arn
+
+                 ARN identifier of the profile.
+                 Mutually exclusive with :attr:`providers.[aws].pools.labels.iam-instance-profile.name`
+
           .. attr:: key-name
              :type: string
              :required:
--- a/nodepool/driver/aws/config.py
+++ b/nodepool/driver/aws/config.py
@ -58,6 +58,7 @@ class ProviderLabel(ConfigValue):
        self.volume_size = None
        self.volume_type = None
        self.userdata = None
+        self.iam_instance_profile = None
        # The ProviderPool object that owns this label.
        self.pool = None
        self.tags = None
@ -74,6 +75,7 @@ class ProviderLabel(ConfigValue):
                    and other.volume_size == self.volume_size
                    and other.volume_type == self.volume_type
                    and other.userdata == self.userdata
+                    and other.iam_instance_profile == self.iam_instance_profile
                    and other.tags == self.tags)
        return False

@ -131,6 +133,7 @@ class ProviderPool(ConfigPool):
            pl.volume_type = label.get('volume-type')
            pl.volume_size = label.get('volume-size')
            pl.userdata = label.get('userdata', None)
+            pl.iam_instance_profile = label.get('iam-instance-profile', None)
            pl.tags = [
                {
                    "Key": k,
@ -243,6 +246,10 @@ class AwsProviderConfig(ProviderConfig):
            'volume-type': str,
            'volume-size': int,
            'userdata': str,
+            'iam-instance-profile': {
+                v.Exclusive('name', 'iam_instance_profile_id'): str,
+                v.Exclusive('arn', 'iam_instance_profile_id'): str
+            },
            'tags': dict,
        }

--- a/nodepool/driver/aws/provider.py
+++ b/nodepool/driver/aws/provider.py
@ -193,6 +193,16 @@ class AwsProvider(Provider):
        if label.userdata:
            args['UserData'] = label.userdata

+        if label.iam_instance_profile:
+            if 'name' in label.iam_instance_profile:
+                args['IamInstanceProfile'] = {
+                    'Name': label.iam_instance_profile['name']
+                }
+            elif 'arn' in label.iam_instance_profile:
+                args['IamInstanceProfile'] = {
+                    'Arn': label.iam_instance_profile['arn']
+                }
+
        # Default block device mapping parameters are embedded in AMIs.
        # We might need to supply our own mapping before lauching the instance.
        # We basically want to make sure DeleteOnTermination is true and be
--- a/nodepool/tests/fixtures/aws.yaml
+++ b/nodepool/tests/fixtures/aws.yaml
@ -13,6 +13,8 @@ labels:
  - name: ubuntu1404-non-host-key-checking
  - name: ubuntu1404-private-ip
  - name: ubuntu1404-userdata
+  - name: ubuntu1404-iam-instance-profile-name
+  - name: ubuntu1404-iam-instance-profile-arn
  - name: ubuntu1404-with-tags
  - name: ubuntu1404-with-name-tag

@ -93,6 +95,18 @@ providers:
            instance-type: t3.medium
            key-name: zuul
            userdata: fake-user-data
+          - name: ubuntu1404-iam-instance-profile-name
+            cloud-image: ubuntu1404
+            instance-type: t3.medium
+            key-name: zuul
+            iam-instance-profile:
+              name: not-a-real-profile
+          - name: ubuntu1404-iam-instance-profile-arn
+            cloud-image: ubuntu1404
+            instance-type: t3.medium
+            key-name: zuul
+            iam-instance-profile:
+              arn: arn:aws:iam::123456789012:instance-profile/not-a-real-profile
      - name: non-host-key-checking
        max-servers: 1
        subnet-id: null
--- a/nodepool/tests/unit/test_driver_aws.py
+++ b/nodepool/tests/unit/test_driver_aws.py
@ -221,6 +221,14 @@ class TestDriverAws(tests.DBTestCase):
        self._test_ec2_machine('ubuntu1404-userdata',
                               userdata=True)

+    # Note(avass): moto does not yet support attaching an instance profile
+    # but these two at least tests to make sure that the instances 'starts'
+    def test_ec2_machine_iam_instance_profile_name(self):
+        self._test_ec2_machine('ubuntu1404-iam-instance-profile-name')
+
+    def test_ec2_machine_iam_instance_profile_arn(self):
+        self._test_ec2_machine('ubuntu1404-iam-instance-profile-arn')
+
    def test_ec2_machine_private_ip(self):
        self._test_ec2_machine('ubuntu1404-private-ip',
                               public_ip=False)