Prevent duplication, and add flag to disable shadowing of IAM Identity Mappings #4963
Conversation
|
Hi! Thank you for your contribution! :)
Unit tests? All tests? Hmm, they can be slow, since they set up a lot of mocks and extra things and a fake http router potentially and a kubernetes client... :D A lot of things. I'll leave review comments in code. |
| @@ -133,6 +137,15 @@ func doCreateIAMIdentityMapping(cmd *cmdutils.Cmd, options iamIdentityMappingOpt | |||
| for _, identity := range identities { | |||
| arn := identity.ARN() | |||
|
|
|||
| if iam.CompareIdentity(id, identity) { | |||
There was a problem hiding this comment.
Hey @DameonSmith!
This check here, should have been behind the below if, right? :D :D
I think we missed that. :)
There was a problem hiding this comment.
Or rather, I think this also needs the && options.NoDuplicateArns.
There was a problem hiding this comment.
This check was to just ignore any duplicated identity entirely. Regardless of whether or not the duplicate arn flags was set.
I was trying to avoid having this kind of pollution:
arn: arn1, namespace: default, groups: [group1, group2]
arn: arn1, namespace: default, groups: [group1, group2]
arn: arn1, namespace: default, groups: [group2, group1]
etc...
The context was specifically using eskctl in pipelines and IaC to create default roles and users for a cluster. The pipeline was run multiple times and would just input the same config over and over again. My assumption was that if a record was in the aws_auth config map it should just be ignored without an error as there's no functional difference.
The NoDuplicateArns flag was meant to prevent silent shadowing of existing roles with different permissions. I wanted to ability to have better visibility on something like the "ReadOnlyUsers" role accidentally got the masters group added to it.
Hopefully that makes sense, and there's not something about my assumptions that were mistaken. Let me know if I need to fix something.
There was a problem hiding this comment.
But we specifically allow duplicate entries. We even have an integration test for it that was now failing. 🤔
There was a problem hiding this comment.
Oh I didn't realize that was a feature, Is there a reason to allow duplicates?
Either way I can add that flag as a requirement if that's what you'd like. Should I open another PR or is there some way to open this one?
There was a problem hiding this comment.
Yeah opened one here #5080 :)
…y Mappings (eksctl-io#4963) * Adding functionality to compare when iam Identity values are equal. * Adding check to skip identitcal iam Identities when creating identity mapping. * Added a the flag '--no-shadow' to throw error when trying to create two auth records with the same Arn * Updating Identity comparison function to verify that unsorted groups with same elements are identical. * Fixing formatting recommended in PR. * Changing name of --no-shadow flag to --no-duplicate-arns Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Description
I implemented functionality that will prevent duplication of
aws_authentries. The goal of this was to make theeksctl create iamidentitymappingcommand more automation friendly. I had been using this command in some IAC code and ended up having a large number of copies of the exact same record.This involved changes in 2 areas primarily:
I also added a flag to the
eksctl create iamidentitymappingcalled--no-shadowwhen this flag is set the command will error should there be an Identity using the same ARN already in place. The goal of this change is to be able to provide better guarantees that configurations aren't accidentally changed.Let me know if there's anything here that doesn't match the projects style or format, or if I'm just contributing to technical debt by working it in the way that I did.
Also as a side note the tests ran extremely slowly on my machine (1-2 second per package), is that expected behavior?
Checklist
README.md, or theuserdocsdirectory)area/nodegroup) and kind (e.g.kind/improvement)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯