github.com/openshift/installer@v1.4.17/pkg/asset/installconfig/aws/permissions_test.go (about) 1 package aws 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 8 9 "github.com/openshift/installer/pkg/types" 10 "github.com/openshift/installer/pkg/types/aws" 11 ) 12 13 func basicInstallConfig() types.InstallConfig { 14 return types.InstallConfig{ 15 ObjectMeta: metav1.ObjectMeta{ 16 Name: "ClusterMetaName", 17 }, 18 Platform: types.Platform{ 19 AWS: &aws.Platform{}, 20 }, 21 } 22 } 23 24 func TestIncludesCreateInstanceRole(t *testing.T) { 25 t.Run("Should be true when", func(t *testing.T) { 26 t.Run("no machine types specified", func(t *testing.T) { 27 ic := basicInstallConfig() 28 assert.True(t, includesCreateInstanceRole(&ic)) 29 }) 30 t.Run("no IAM roles specified", func(t *testing.T) { 31 ic := basicInstallConfig() 32 ic.ControlPlane = &types.MachinePool{} 33 ic.Compute = []types.MachinePool{ 34 { 35 Platform: types.MachinePoolPlatform{ 36 AWS: &aws.MachinePool{}, 37 }, 38 }, 39 } 40 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{} 41 assert.True(t, includesCreateInstanceRole(&ic)) 42 }) 43 t.Run("IAM role specified for controlPlane", func(t *testing.T) { 44 ic := basicInstallConfig() 45 ic.ControlPlane = &types.MachinePool{ 46 Platform: types.MachinePoolPlatform{ 47 AWS: &aws.MachinePool{ 48 IAMRole: "custom-master-role", 49 }, 50 }, 51 } 52 assert.True(t, includesCreateInstanceRole(&ic)) 53 }) 54 t.Run("IAM role specified for compute", func(t *testing.T) { 55 ic := basicInstallConfig() 56 ic.Compute = []types.MachinePool{ 57 { 58 Platform: types.MachinePoolPlatform{ 59 AWS: &aws.MachinePool{ 60 IAMRole: "custom-master-role", 61 }, 62 }, 63 }, 64 } 65 assert.True(t, includesCreateInstanceRole(&ic)) 66 }) 67 }) 68 69 t.Run("Should be false when", func(t *testing.T) { 70 t.Run("IAM role specified for defaultMachinePlatform", func(t *testing.T) { 71 ic := basicInstallConfig() 72 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 73 IAMRole: "custom-default-role", 74 } 75 assert.False(t, includesCreateInstanceRole(&ic)) 76 }) 77 t.Run("IAM roles specified for controlPlane and compute", func(t *testing.T) { 78 ic := basicInstallConfig() 79 ic.ControlPlane = &types.MachinePool{ 80 Platform: types.MachinePoolPlatform{ 81 AWS: &aws.MachinePool{ 82 IAMRole: "custom-master-role", 83 }, 84 }, 85 } 86 ic.Compute = []types.MachinePool{ 87 { 88 Platform: types.MachinePoolPlatform{ 89 AWS: &aws.MachinePool{ 90 IAMRole: "custom-master-role", 91 }, 92 }, 93 }, 94 } 95 assert.False(t, includesCreateInstanceRole(&ic)) 96 }) 97 t.Run("IAM roles specified for controlPlane and defaultMachinePlatform, compute is nil", func(t *testing.T) { 98 ic := basicInstallConfig() 99 ic.ControlPlane = &types.MachinePool{ 100 Platform: types.MachinePoolPlatform{ 101 AWS: &aws.MachinePool{ 102 IAMRole: "custom-master-role", 103 }, 104 }, 105 } 106 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 107 IAMRole: "custom-default-role", 108 } 109 assert.False(t, includesCreateInstanceRole(&ic)) 110 }) 111 t.Run("IAM roles specified for controlPlane and defaultMachinePlatform, compute is not nil", func(t *testing.T) { 112 ic := basicInstallConfig() 113 ic.ControlPlane = &types.MachinePool{ 114 Platform: types.MachinePoolPlatform{ 115 AWS: &aws.MachinePool{ 116 IAMRole: "custom-master-role", 117 }, 118 }, 119 } 120 ic.Compute = []types.MachinePool{ 121 { 122 Platform: types.MachinePoolPlatform{ 123 AWS: &aws.MachinePool{}, 124 }, 125 }, 126 } 127 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 128 IAMRole: "custom-default-role", 129 } 130 assert.False(t, includesCreateInstanceRole(&ic)) 131 }) 132 t.Run("IAM roles specified for compute and defaultMachinePlatform", func(t *testing.T) { 133 ic := basicInstallConfig() 134 ic.Compute = []types.MachinePool{ 135 { 136 Platform: types.MachinePoolPlatform{ 137 AWS: &aws.MachinePool{ 138 IAMRole: "custom-master-role", 139 }, 140 }, 141 }, 142 } 143 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 144 IAMRole: "custom-default-role", 145 } 146 assert.False(t, includesCreateInstanceRole(&ic)) 147 }) 148 }) 149 } 150 151 func TestIncludesExistingInstanceRole(t *testing.T) { 152 t.Run("Should be true when", func(t *testing.T) { 153 t.Run("IAM role specified for defaultMachinePlatform", func(t *testing.T) { 154 ic := basicInstallConfig() 155 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 156 IAMRole: "custom-default-role", 157 } 158 assert.True(t, includesExistingInstanceRole(&ic)) 159 }) 160 t.Run("IAM role specified for controlPlane", func(t *testing.T) { 161 ic := basicInstallConfig() 162 ic.ControlPlane = &types.MachinePool{ 163 Platform: types.MachinePoolPlatform{ 164 AWS: &aws.MachinePool{ 165 IAMRole: "custom-master-role", 166 }, 167 }, 168 } 169 assert.True(t, includesExistingInstanceRole(&ic)) 170 }) 171 t.Run("IAM role specified for compute", func(t *testing.T) { 172 ic := basicInstallConfig() 173 ic.Compute = []types.MachinePool{ 174 { 175 Platform: types.MachinePoolPlatform{ 176 AWS: &aws.MachinePool{ 177 IAMRole: "custom-master-role", 178 }, 179 }, 180 }, 181 } 182 assert.True(t, includesExistingInstanceRole(&ic)) 183 }) 184 t.Run("IAM role specified for controlPlane and compute", func(t *testing.T) { 185 ic := basicInstallConfig() 186 ic.ControlPlane = &types.MachinePool{ 187 Platform: types.MachinePoolPlatform{ 188 AWS: &aws.MachinePool{ 189 IAMRole: "custom-master-role", 190 }, 191 }, 192 } 193 ic.Compute = []types.MachinePool{ 194 { 195 Platform: types.MachinePoolPlatform{ 196 AWS: &aws.MachinePool{ 197 IAMRole: "custom-master-role", 198 }, 199 }, 200 }, 201 } 202 assert.True(t, includesExistingInstanceRole(&ic)) 203 }) 204 }) 205 t.Run("Should be false when", func(t *testing.T) { 206 t.Run("no machine types specified", func(t *testing.T) { 207 ic := basicInstallConfig() 208 assert.False(t, includesExistingInstanceRole(&ic)) 209 }) 210 t.Run("no IAM roles specified", func(t *testing.T) { 211 ic := basicInstallConfig() 212 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{} 213 ic.ControlPlane = &types.MachinePool{ 214 Platform: types.MachinePoolPlatform{ 215 AWS: &aws.MachinePool{}, 216 }, 217 } 218 ic.Compute = []types.MachinePool{ 219 { 220 Platform: types.MachinePoolPlatform{ 221 AWS: &aws.MachinePool{}, 222 }, 223 }, 224 } 225 assert.False(t, includesExistingInstanceRole(&ic)) 226 }) 227 }) 228 } 229 230 func TestIncludesExistingInstanceProfile(t *testing.T) { 231 t.Run("Should be true when", func(t *testing.T) { 232 t.Run("instance profile specified for defaultMachinePlatform", func(t *testing.T) { 233 ic := basicInstallConfig() 234 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 235 IAMProfile: "custom-default-profile", 236 } 237 assert.True(t, includesExistingInstanceProfile(&ic)) 238 }) 239 t.Run("instance profile specified for controlPlane", func(t *testing.T) { 240 ic := basicInstallConfig() 241 ic.ControlPlane = &types.MachinePool{ 242 Platform: types.MachinePoolPlatform{ 243 AWS: &aws.MachinePool{ 244 IAMProfile: "custom-master-profile", 245 }, 246 }, 247 } 248 assert.True(t, includesExistingInstanceProfile(&ic)) 249 }) 250 t.Run("instance profile specified for compute", func(t *testing.T) { 251 ic := basicInstallConfig() 252 ic.Compute = []types.MachinePool{ 253 { 254 Platform: types.MachinePoolPlatform{ 255 AWS: &aws.MachinePool{ 256 IAMProfile: "custom-worker-profile", 257 }, 258 }, 259 }, 260 } 261 assert.True(t, includesExistingInstanceProfile(&ic)) 262 }) 263 t.Run("instance profile specified for controlPlane and compute", func(t *testing.T) { 264 ic := basicInstallConfig() 265 ic.ControlPlane = &types.MachinePool{ 266 Platform: types.MachinePoolPlatform{ 267 AWS: &aws.MachinePool{ 268 IAMProfile: "custom-master-profile", 269 }, 270 }, 271 } 272 ic.Compute = []types.MachinePool{ 273 { 274 Platform: types.MachinePoolPlatform{ 275 AWS: &aws.MachinePool{ 276 IAMProfile: "custom-worker-profile", 277 }, 278 }, 279 }, 280 } 281 assert.True(t, includesExistingInstanceProfile(&ic)) 282 }) 283 }) 284 t.Run("Should be false when", func(t *testing.T) { 285 t.Run("no machine types specified", func(t *testing.T) { 286 ic := basicInstallConfig() 287 assert.False(t, includesExistingInstanceProfile(&ic)) 288 }) 289 t.Run("no instance profiles specified", func(t *testing.T) { 290 ic := basicInstallConfig() 291 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{} 292 ic.ControlPlane = &types.MachinePool{ 293 Platform: types.MachinePoolPlatform{ 294 AWS: &aws.MachinePool{}, 295 }, 296 } 297 ic.Compute = []types.MachinePool{ 298 { 299 Platform: types.MachinePoolPlatform{ 300 AWS: &aws.MachinePool{}, 301 }, 302 }, 303 } 304 assert.False(t, includesExistingInstanceProfile(&ic)) 305 }) 306 }) 307 } 308 309 func TestIAMRolePermissions(t *testing.T) { 310 t.Run("Should include", func(t *testing.T) { 311 t.Run("create and delete shared IAM role permissions", func(t *testing.T) { 312 t.Run("when role specified for controlPlane", func(t *testing.T) { 313 ic := validInstallConfig() 314 ic.ControlPlane.Platform.AWS.IAMRole = "custom-master-role" 315 requiredPerms := RequiredPermissionGroups(ic) 316 assert.Contains(t, requiredPerms, PermissionCreateInstanceRole) 317 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 318 }) 319 t.Run("when instance profile specified for controlPlane", func(t *testing.T) { 320 ic := validInstallConfig() 321 ic.ControlPlane.Platform.AWS.IAMProfile = "custom-master-profile" 322 requiredPerms := RequiredPermissionGroups(ic) 323 assert.Contains(t, requiredPerms, PermissionCreateInstanceRole) 324 assert.NotContains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 325 }) 326 t.Run("when role specified for compute", func(t *testing.T) { 327 ic := validInstallConfig() 328 ic.Compute[0].Platform.AWS.IAMRole = "custom-worker-role" 329 requiredPerms := RequiredPermissionGroups(ic) 330 assert.Contains(t, requiredPerms, PermissionCreateInstanceRole) 331 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 332 }) 333 t.Run("when instance profile specified for compute", func(t *testing.T) { 334 ic := validInstallConfig() 335 ic.Compute[0].Platform.AWS.IAMProfile = "custom-worker-profile" 336 requiredPerms := RequiredPermissionGroups(ic) 337 assert.Contains(t, requiredPerms, PermissionCreateInstanceRole) 338 assert.NotContains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 339 }) 340 }) 341 t.Run("create IAM role permissions", func(t *testing.T) { 342 t.Run("when no existing roles and instance profiles are specified", func(t *testing.T) { 343 ic := validInstallConfig() 344 requiredPerms := RequiredPermissionGroups(ic) 345 assert.Contains(t, requiredPerms, PermissionCreateInstanceRole) 346 assert.NotContains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 347 }) 348 }) 349 }) 350 351 t.Run("Should not include create IAM role permissions", func(t *testing.T) { 352 t.Run("when role specified for defaultMachinePlatform", func(t *testing.T) { 353 ic := validInstallConfig() 354 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 355 IAMRole: "custom-default-role", 356 } 357 requiredPerms := RequiredPermissionGroups(ic) 358 assert.NotContains(t, requiredPerms, PermissionCreateInstanceRole) 359 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 360 }) 361 t.Run("when role specified for controlPlane and compute", func(t *testing.T) { 362 ic := validInstallConfig() 363 ic.ControlPlane.Platform.AWS.IAMRole = "custom-master-role" 364 ic.Compute[0].Platform.AWS.IAMRole = "custom-worker-role" 365 requiredPerms := RequiredPermissionGroups(ic) 366 assert.NotContains(t, requiredPerms, PermissionCreateInstanceRole) 367 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 368 }) 369 t.Run("when instance profile specified for defaultMachinePlatform", func(t *testing.T) { 370 ic := validInstallConfig() 371 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 372 IAMProfile: "custom-default-profile", 373 } 374 requiredPerms := RequiredPermissionGroups(ic) 375 assert.NotContains(t, requiredPerms, PermissionCreateInstanceRole) 376 assert.NotContains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 377 }) 378 t.Run("when instance profile specified for controlPlane and compute", func(t *testing.T) { 379 ic := validInstallConfig() 380 ic.ControlPlane.Platform.AWS.IAMProfile = "custom-master-profile" 381 ic.Compute[0].Platform.AWS.IAMProfile = "custom-worker-profile" 382 requiredPerms := RequiredPermissionGroups(ic) 383 assert.NotContains(t, requiredPerms, PermissionCreateInstanceRole) 384 assert.NotContains(t, requiredPerms, PermissionDeleteSharedInstanceRole) 385 }) 386 }) 387 } 388 389 func TestIAMProfilePermissions(t *testing.T) { 390 t.Run("Should include", func(t *testing.T) { 391 t.Run("create and delete shared instance profile permissions", func(t *testing.T) { 392 t.Run("when instance profile specified for controlPlane", func(t *testing.T) { 393 ic := validInstallConfig() 394 ic.ControlPlane.Platform.AWS.IAMProfile = "custom-master-profile" 395 requiredPerms := RequiredPermissionGroups(ic) 396 assert.Contains(t, requiredPerms, PermissionCreateInstanceProfile) 397 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceProfile) 398 }) 399 t.Run("when instance profile specified for compute", func(t *testing.T) { 400 ic := validInstallConfig() 401 ic.Compute[0].Platform.AWS.IAMProfile = "custom-worker-profile" 402 requiredPerms := RequiredPermissionGroups(ic) 403 assert.Contains(t, requiredPerms, PermissionCreateInstanceProfile) 404 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceProfile) 405 }) 406 }) 407 t.Run("create instance profile permissions", func(t *testing.T) { 408 t.Run("when no existing instance profiles are specified", func(t *testing.T) { 409 ic := validInstallConfig() 410 requiredPerms := RequiredPermissionGroups(ic) 411 assert.Contains(t, requiredPerms, PermissionCreateInstanceProfile) 412 assert.NotContains(t, requiredPerms, PermissionDeleteSharedInstanceProfile) 413 }) 414 }) 415 }) 416 417 t.Run("Should not include create instance profile permissions", func(t *testing.T) { 418 t.Run("when instance profile specified for defaultMachinePlatform", func(t *testing.T) { 419 ic := validInstallConfig() 420 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 421 IAMProfile: "custom-default-profile", 422 } 423 requiredPerms := RequiredPermissionGroups(ic) 424 assert.NotContains(t, requiredPerms, PermissionCreateInstanceProfile) 425 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceProfile) 426 }) 427 t.Run("when instance profile specified for controlPlane and compute", func(t *testing.T) { 428 ic := validInstallConfig() 429 ic.ControlPlane.Platform.AWS.IAMProfile = "custom-master-profile" 430 ic.Compute[0].Platform.AWS.IAMProfile = "custom-worker-profile" 431 requiredPerms := RequiredPermissionGroups(ic) 432 assert.NotContains(t, requiredPerms, PermissionCreateInstanceProfile) 433 assert.Contains(t, requiredPerms, PermissionDeleteSharedInstanceProfile) 434 }) 435 }) 436 } 437 438 func TestIncludesKMSEncryptionKeys(t *testing.T) { 439 t.Run("Should be true when", func(t *testing.T) { 440 t.Run("KMS key specified for defaultMachinePlatform", func(t *testing.T) { 441 ic := basicInstallConfig() 442 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 443 EC2RootVolume: aws.EC2RootVolume{ 444 KMSKeyARN: "custom-default-key", 445 }, 446 } 447 assert.True(t, includesKMSEncryptionKey(&ic)) 448 }) 449 t.Run("KMS key specified for controlPlane", func(t *testing.T) { 450 ic := basicInstallConfig() 451 ic.ControlPlane = &types.MachinePool{ 452 Platform: types.MachinePoolPlatform{ 453 AWS: &aws.MachinePool{ 454 EC2RootVolume: aws.EC2RootVolume{ 455 KMSKeyARN: "custom-master-key", 456 }, 457 }, 458 }, 459 } 460 assert.True(t, includesKMSEncryptionKey(&ic)) 461 }) 462 t.Run("KMS key specified for compute", func(t *testing.T) { 463 ic := basicInstallConfig() 464 ic.Compute = []types.MachinePool{ 465 { 466 Platform: types.MachinePoolPlatform{ 467 AWS: &aws.MachinePool{ 468 EC2RootVolume: aws.EC2RootVolume{ 469 KMSKeyARN: "custom-worker-key", 470 }, 471 }, 472 }, 473 }, 474 } 475 assert.True(t, includesKMSEncryptionKey(&ic)) 476 }) 477 t.Run("KMS key specified for controlPlane and compute", func(t *testing.T) { 478 ic := basicInstallConfig() 479 ic.ControlPlane = &types.MachinePool{ 480 Platform: types.MachinePoolPlatform{ 481 AWS: &aws.MachinePool{ 482 EC2RootVolume: aws.EC2RootVolume{ 483 KMSKeyARN: "custom-master-key", 484 }, 485 }, 486 }, 487 } 488 ic.Compute = []types.MachinePool{ 489 { 490 Platform: types.MachinePoolPlatform{ 491 AWS: &aws.MachinePool{ 492 EC2RootVolume: aws.EC2RootVolume{ 493 KMSKeyARN: "custom-worker-key", 494 }, 495 }, 496 }, 497 }, 498 } 499 assert.True(t, includesKMSEncryptionKey(&ic)) 500 }) 501 }) 502 t.Run("Should be false when", func(t *testing.T) { 503 t.Run("no machine types specified", func(t *testing.T) { 504 ic := basicInstallConfig() 505 assert.False(t, includesKMSEncryptionKey(&ic)) 506 }) 507 t.Run("no KMS keys specified", func(t *testing.T) { 508 ic := basicInstallConfig() 509 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{} 510 ic.ControlPlane = &types.MachinePool{ 511 Platform: types.MachinePoolPlatform{ 512 AWS: &aws.MachinePool{}, 513 }, 514 } 515 ic.Compute = []types.MachinePool{ 516 { 517 Platform: types.MachinePoolPlatform{ 518 AWS: &aws.MachinePool{}, 519 }, 520 }, 521 } 522 assert.False(t, includesKMSEncryptionKey(&ic)) 523 }) 524 }) 525 } 526 527 func TestKMSKeyPermissions(t *testing.T) { 528 t.Run("Should include KMS key permissions", func(t *testing.T) { 529 t.Run("when KMS key specified for controlPlane", func(t *testing.T) { 530 ic := validInstallConfig() 531 ic.ControlPlane.Platform.AWS.EC2RootVolume = aws.EC2RootVolume{ 532 KMSKeyARN: "custom-master-key", 533 } 534 requiredPerms := RequiredPermissionGroups(ic) 535 assert.Contains(t, requiredPerms, PermissionKMSEncryptionKeys) 536 }) 537 t.Run("when KMS key specified for compute", func(t *testing.T) { 538 ic := validInstallConfig() 539 ic.Compute[0].Platform.AWS.EC2RootVolume = aws.EC2RootVolume{ 540 KMSKeyARN: "custom-worker-key", 541 } 542 requiredPerms := RequiredPermissionGroups(ic) 543 assert.Contains(t, requiredPerms, PermissionKMSEncryptionKeys) 544 }) 545 t.Run("when KMS key specified for defaultMachinePlatform", func(t *testing.T) { 546 ic := validInstallConfig() 547 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{ 548 EC2RootVolume: aws.EC2RootVolume{ 549 KMSKeyARN: "custom-default-key", 550 }, 551 } 552 requiredPerms := RequiredPermissionGroups(ic) 553 assert.Contains(t, requiredPerms, PermissionKMSEncryptionKeys) 554 }) 555 }) 556 557 t.Run("Should not include KMS key permissions", func(t *testing.T) { 558 t.Run("when no machine types specified", func(t *testing.T) { 559 ic := validInstallConfig() 560 ic.ControlPlane = nil 561 ic.Compute = nil 562 requiredPerms := RequiredPermissionGroups(ic) 563 assert.NotContains(t, requiredPerms, PermissionKMSEncryptionKeys) 564 }) 565 t.Run("when no KMS keys specified", func(t *testing.T) { 566 ic := validInstallConfig() 567 ic.AWS.DefaultMachinePlatform = &aws.MachinePool{} 568 requiredPerms := RequiredPermissionGroups(ic) 569 assert.NotContains(t, requiredPerms, PermissionKMSEncryptionKeys) 570 }) 571 }) 572 } 573 574 func TestVPCPermissions(t *testing.T) { 575 t.Run("Should include", func(t *testing.T) { 576 t.Run("create network permissions when VPC not specified", func(t *testing.T) { 577 t.Run("for standard regions", func(t *testing.T) { 578 ic := validInstallConfig() 579 ic.AWS.Subnets = nil 580 ic.AWS.HostedZone = "" 581 requiredPerms := RequiredPermissionGroups(ic) 582 assert.Contains(t, requiredPerms, PermissionCreateNetworking) 583 }) 584 t.Run("for secret regions", func(t *testing.T) { 585 ic := validInstallConfig() 586 ic.AWS.Region = "us-iso-east-1" 587 ic.AWS.Subnets = nil 588 ic.AWS.HostedZone = "" 589 requiredPerms := RequiredPermissionGroups(ic) 590 assert.Contains(t, requiredPerms, PermissionCreateNetworking) 591 }) 592 }) 593 t.Run("delete network permissions when VPC not specified for standard region", func(t *testing.T) { 594 ic := validInstallConfig() 595 ic.AWS.Subnets = nil 596 ic.AWS.HostedZone = "" 597 requiredPerms := RequiredPermissionGroups(ic) 598 assert.Contains(t, requiredPerms, PermissionDeleteNetworking) 599 }) 600 t.Run("delete shared network permissions when VPC specified for standard region", func(t *testing.T) { 601 ic := validInstallConfig() 602 requiredPerms := RequiredPermissionGroups(ic) 603 assert.Contains(t, requiredPerms, PermissionDeleteSharedNetworking) 604 }) 605 }) 606 t.Run("Should not include", func(t *testing.T) { 607 t.Run("create network permissions when VPC specified", func(t *testing.T) { 608 ic := validInstallConfig() 609 requiredPerms := RequiredPermissionGroups(ic) 610 assert.NotContains(t, requiredPerms, PermissionCreateNetworking) 611 }) 612 t.Run("delete network permissions", func(t *testing.T) { 613 t.Run("when VPC specified", func(t *testing.T) { 614 ic := validInstallConfig() 615 requiredPerms := RequiredPermissionGroups(ic) 616 assert.NotContains(t, requiredPerms, PermissionDeleteNetworking) 617 }) 618 t.Run("on secret regions", func(t *testing.T) { 619 ic := validInstallConfig() 620 ic.AWS.Region = "us-iso-east-1" 621 requiredPerms := RequiredPermissionGroups(ic) 622 assert.NotContains(t, requiredPerms, PermissionDeleteNetworking) 623 }) 624 }) 625 t.Run("delete shared network permissions", func(t *testing.T) { 626 t.Run("when VPC not specified", func(t *testing.T) { 627 ic := validInstallConfig() 628 ic.AWS.Subnets = nil 629 ic.AWS.HostedZone = "" 630 requiredPerms := RequiredPermissionGroups(ic) 631 assert.NotContains(t, requiredPerms, PermissionDeleteSharedNetworking) 632 }) 633 t.Run("on secret regions", func(t *testing.T) { 634 ic := validInstallConfig() 635 ic.AWS.Region = "us-iso-east-1" 636 requiredPerms := RequiredPermissionGroups(ic) 637 assert.NotContains(t, requiredPerms, PermissionDeleteSharedNetworking) 638 }) 639 }) 640 }) 641 } 642 643 func TestPrivateZonePermissions(t *testing.T) { 644 t.Run("Should include", func(t *testing.T) { 645 t.Run("create hosted zone permissions when PHZ not specified", func(t *testing.T) { 646 ic := validInstallConfig() 647 ic.AWS.HostedZone = "" 648 requiredPerms := RequiredPermissionGroups(ic) 649 assert.Contains(t, requiredPerms, PermissionCreateHostedZone) 650 }) 651 t.Run("delete hosted zone permissions when PHZ not specified on standard regions", func(t *testing.T) { 652 ic := validInstallConfig() 653 ic.AWS.HostedZone = "" 654 requiredPerms := RequiredPermissionGroups(ic) 655 assert.Contains(t, requiredPerms, PermissionDeleteHostedZone) 656 }) 657 }) 658 t.Run("Should not include", func(t *testing.T) { 659 t.Run("create hosted zone permissions when PHZ specified", func(t *testing.T) { 660 ic := validInstallConfig() 661 requiredPerms := RequiredPermissionGroups(ic) 662 assert.NotContains(t, requiredPerms, PermissionCreateHostedZone) 663 }) 664 t.Run("delete hosted zone permissions", func(t *testing.T) { 665 t.Run("on secret regions", func(t *testing.T) { 666 ic := validInstallConfig() 667 requiredPerms := RequiredPermissionGroups(ic) 668 assert.NotContains(t, requiredPerms, PermissionDeleteHostedZone) 669 }) 670 t.Run("when PHZ specified", func(t *testing.T) { 671 ic := validInstallConfig() 672 requiredPerms := RequiredPermissionGroups(ic) 673 assert.NotContains(t, requiredPerms, PermissionDeleteHostedZone) 674 }) 675 }) 676 }) 677 } 678 679 func TestPublicIPv4PoolPermissions(t *testing.T) { 680 t.Run("Should include IPv4Pool permissions when IPv4 pool specified", func(t *testing.T) { 681 ic := validInstallConfig() 682 ic.AWS.PublicIpv4Pool = "custom-ipv4-pool" 683 requiredPerms := RequiredPermissionGroups(ic) 684 assert.Contains(t, requiredPerms, PermissionPublicIpv4Pool) 685 }) 686 t.Run("Should not include IPv4Pool permissions when IPv4 pool not specified", func(t *testing.T) { 687 ic := validInstallConfig() 688 requiredPerms := RequiredPermissionGroups(ic) 689 assert.NotContains(t, requiredPerms, PermissionPublicIpv4Pool) 690 }) 691 } 692 693 func TestBasePermissions(t *testing.T) { 694 t.Run("Should include", func(t *testing.T) { 695 t.Run("base create permissions", func(t *testing.T) { 696 t.Run("on standard regions", func(t *testing.T) { 697 ic := validInstallConfig() 698 requiredPerms := RequiredPermissionGroups(ic) 699 assert.Contains(t, requiredPerms, PermissionCreateBase) 700 }) 701 t.Run("on secret regions", func(t *testing.T) { 702 ic := validInstallConfig() 703 ic.AWS.Region = "us-iso-east-1" 704 requiredPerms := RequiredPermissionGroups(ic) 705 assert.Contains(t, requiredPerms, PermissionCreateBase) 706 }) 707 }) 708 t.Run("base delete permissions on standard regions", func(t *testing.T) { 709 ic := validInstallConfig() 710 requiredPerms := RequiredPermissionGroups(ic) 711 assert.Contains(t, requiredPerms, PermissionDeleteBase) 712 }) 713 }) 714 t.Run("Should not include base delete permissions on secret regions", func(t *testing.T) { 715 ic := validInstallConfig() 716 ic.AWS.Region = "us-iso-east-1" 717 requiredPerms := RequiredPermissionGroups(ic) 718 assert.NotContains(t, requiredPerms, PermissionDeleteBase) 719 }) 720 } 721 722 func TestDeleteIgnitionPermissions(t *testing.T) { 723 t.Run("Should include delete ignition permissions", func(t *testing.T) { 724 ic := validInstallConfig() 725 requiredPerms := RequiredPermissionGroups(ic) 726 assert.Contains(t, requiredPerms, PermissionDeleteIgnitionObjects) 727 }) 728 t.Run("Should not include delete ignition permission when specified", func(t *testing.T) { 729 ic := validInstallConfig() 730 ic.AWS.BestEffortDeleteIgnition = true 731 requiredPerms := RequiredPermissionGroups(ic) 732 assert.NotContains(t, requiredPerms, PermissionDeleteIgnitionObjects) 733 }) 734 }