Initial commit from kro/examples/aws/eks-cluster-mgmt

scripts/create_ack_workload_roles.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+# Disable AWS CLI paging
+export AWS_PAGER=""
+
+create_ack_workload_roles() {
+    local MGMT_ACCOUNT_ID="$1"
+
+    if [ -z "$MGMT_ACCOUNT_ID" ]; then
+        echo "Usage: create_ack_workload_roles <mgmt-account-id>"
+        echo "Example: create_ack_workload_roles 123456789012"
+        return 1
+    fi
+    # Generate trust policy for a specific service
+    generate_trust_policy() {
+        cat <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${MGMT_ACCOUNT_ID}:role/${CLUSTER_NAME}-ack-controller"
+            },
+            "Action": [
+              "sts:AssumeRole",
+              "sts:TagSession"
+              ],
+            "Condition": {}
+        }
+    ]
+}
+EOF
+    }
+
+    # Generate the trust policy for this service
+    local TRUST_POLICY
+    TRUST_POLICY=$(generate_trust_policy)
+    echo "${TRUST_POLICY}" > trust.json
+
+
+    # Create the role with the trust policy
+    local ROLE_NAME="ack"
+    local ROLE_DESCRIPTION="Workload role for ACK controllers"
+    echo "Creating role ${ROLE_NAME}"
+    aws iam create-role \
+        --role-name "${ROLE_NAME}" \
+        --assume-role-policy-document file://trust.json \
+        --description "${ROLE_DESCRIPTION}"
+
+    if [ $? -eq 0 ]; then
+        echo "Successfully created role ${ROLE_NAME}"
+        local ROLE_ARN
+        ROLE_ARN=$(aws iam get-role --role-name "${ROLE_NAME}" --query Role.Arn --output text)
+        echo "Role ARN: ${ROLE_ARN}"
+        rm -f trust.json
+    else
+        echo "Failed to create/configure role ${ROLE_NAME}"
+        rm -f trust.json
+        return 1
+    fi
+
+    #for SERVICE in iam ec2 eks secretsmanager; do
+    for SERVICE in iam ec2 eks; do
+        echo ">>>>>>>>>SERVICE:$SERVICE"
+
+        # Download and apply the recommended policies
+        local BASE_URL="https://raw.githubusercontent.com/aws-controllers-k8s/${SERVICE}-controller/main"
+        local POLICY_ARN_URL="${BASE_URL}/config/iam/recommended-policy-arn"
+        local POLICY_ARN_STRINGS
+        POLICY_ARN_STRINGS="$(wget -qO- ${POLICY_ARN_URL})"
+
+        local INLINE_POLICY_URL="${BASE_URL}/config/iam/recommended-inline-policy"
+        local INLINE_POLICY
+        INLINE_POLICY="$(wget -qO- ${INLINE_POLICY_URL})"
+
+        # Attach managed policies
+        while IFS= read -r POLICY_ARN; do
+            if [ -n "$POLICY_ARN" ]; then
+                echo -n "Attaching $POLICY_ARN ... "
+                aws iam attach-role-policy \
+                    --role-name "${ROLE_NAME}" \
+                    --policy-arn "${POLICY_ARN}"
+                echo "ok."
+            fi
+        done <<< "$POLICY_ARN_STRINGS"
+
+        # Add inline policy if it exists
+        if [ ! -z "$INLINE_POLICY" ]; then
+            echo -n "Putting inline policy ... "
+            aws iam put-role-policy \
+                --role-name "${ROLE_NAME}" \
+                --policy-name "ack-recommended-policy-${SERVICE}" \
+                --policy-document "$INLINE_POLICY"
+            echo "ok."
+        fi
+
+        if [ $? -eq 0 ]; then
+            echo "Successfully configured role ${ROLE_NAME}"
+        else
+            echo "Failed to configure role ${ROLE_NAME}"
+            return 1
+        fi
+    done
+
+    return 0
+}
+
+# Main script execution
+if [ -z "$MGMT_ACCOUNT_ID" ]; then
+    echo "You must set the MGMT_ACCOUNT_ID environment variable"
+    echo "Example: export MGMT_ACCOUNT_ID=123456789012"
+    exit 1
+fi
+
+if [ -z "$CLUSTER_NAME" ]; then
+    echo "You must set the CLUSTER_NAME environment variable"
+    echo "Example: export CLUSTER_NAME=hub-cluster"
+    exit 1
+fi
+
+echo "Management Account ID: $MGMT_ACCOUNT_ID"
+echo "Cluster Name: $CLUSTER_NAME"
+create_ack_workload_roles "$MGMT_ACCOUNT_ID"

scripts/delete_ack_workload_roles.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# Script to delete IAM roles by first removing all attached policies
+# Usage: ./delete_ack_workload_roles.sh role1 role2 role3 ...
+# ./delete_ack_workload_roles.sh eks-cluster-mgmt-iam eks-cluster-mgmt-ec2 eks-cluster-mgmt-eks
+
+set -e
+
+# Check if AWS CLI is installed
+if ! command -v aws &> /dev/null; then
+    echo "AWS CLI is not installed. Please install it first."
+    exit 1
+fi
+
+# Check if at least one role name is provided
+if [ $# -eq 0 ]; then
+    echo "Usage: $0 role1 role2 role3 ..."
+    echo "Please provide at least one role name to delete."
+    exit 1
+fi
+
+# Function to delete a role
+delete_role() {
+    local role_name=$1
+    echo "Processing role: $role_name"
+    
+    # Check if role exists
+    if ! aws iam get-role --role-name "$role_name" &> /dev/null; then
+        echo "Role $role_name does not exist. Skipping."
+        return 0
+    fi
+    
+    # List and detach managed policies
+    echo "Checking for attached managed policies..."
+    local attached_policies=$(aws iam list-attached-role-policies --role-name "$role_name" --query "AttachedPolicies[*].PolicyArn" --output text)
+    
+    if [ -n "$attached_policies" ]; then
+        echo "Detaching managed policies from $role_name..."
+        for policy_arn in $attached_policies; do
+            echo "  Detaching policy: $policy_arn"
+            aws iam detach-role-policy --role-name "$role_name" --policy-arn "$policy_arn"
+        done
+    else
+        echo "No managed policies attached to $role_name."
+    fi
+    
+    # List and delete inline policies
+    echo "Checking for inline policies..."
+    local inline_policies=$(aws iam list-role-policies --role-name "$role_name" --query "PolicyNames" --output text)
+    
+    if [ -n "$inline_policies" ] && [ "$inline_policies" != "None" ]; then
+        echo "Removing inline policies from $role_name..."
+        for policy_name in $inline_policies; do
+            echo "  Removing inline policy: $policy_name"
+            aws iam delete-role-policy --role-name "$role_name" --policy-name "$policy_name"
+        done
+    else
+        echo "No inline policies for $role_name."
+    fi
+    
+    # Delete instance profiles associated with the role (if any)
+    echo "Checking for instance profiles..."
+    local instance_profiles=$(aws iam list-instance-profiles-for-role --role-name "$role_name" --query "InstanceProfiles[*].InstanceProfileName" --output text)
+    
+    if [ -n "$instance_profiles" ] && [ "$instance_profiles" != "None" ]; then
+        echo "Removing role from instance profiles..."
+        for profile_name in $instance_profiles; do
+            echo "  Removing role from instance profile: $profile_name"
+            aws iam remove-role-from-instance-profile --instance-profile-name "$profile_name" --role-name "$role_name"
+        done
+    else
+        echo "No instance profiles for $role_name."
+    fi
+    
+    # Finally delete the role
+    echo "Deleting role: $role_name"
+    aws iam delete-role --role-name "$role_name"
+    echo "Role $role_name successfully deleted."
+    echo "----------------------------------------"
+}
+
+# Process each role
+for role in "$@"; do
+    delete_role "$role"
+done
+
+echo "All specified roles have been processed."