kubernetes-sigs
diff --git a/‎docs/install/iam_policy_aga.json‎
Lines changed: 108 additions & 0 deletions b/‎docs/install/iam_policy_aga.json‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎scripts/ci_e2e_test.sh‎
Lines changed: 54 additions & 1 deletion b/‎scripts/ci_e2e_test.sh‎
Lines changed: 54 additions & 1 deletion
diff --git a/‎scripts/lib/eksctl.sh‎
Lines changed: 40 additions & 0 deletions b/‎scripts/lib/eksctl.sh‎
Lines changed: 40 additions & 0 deletions
@@ -0,0 +1,108 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateServiceLinkedRole"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": [
+                        "globalaccelerator.amazonaws.com"
+                    ]
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "globalaccelerator:DescribeAccelerator",
+                "globalaccelerator:DescribeEndpointGroup",
+                "globalaccelerator:DescribeListener",
+                "globalaccelerator:ListAccelerators",
+                "globalaccelerator:ListEndpointGroups",
+                "globalaccelerator:ListListeners",
+                "globalaccelerator:ListTagsForResource",
+                "ec2:DescribeRegions"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "globalaccelerator:CreateAccelerator"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                },
+                "StringEquals": {
+                    "aws:RequestTag/aga.k8s.aws/resource": "GlobalAccelerator"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "globalaccelerator:UpdateAccelerator",
+                "globalaccelerator:DeleteAccelerator",
+                "globalaccelerator:CreateListener",
+                "globalaccelerator:UpdateListener",
+                "globalaccelerator:DeleteListener",
+                "globalaccelerator:CreateEndpointGroup",
+                "globalaccelerator:UpdateEndpointGroup",
+                "globalaccelerator:DeleteEndpointGroup",
+                "globalaccelerator:AddEndpoints",
+                "globalaccelerator:RemoveEndpoints"
+            ],
+            "Resource": [
+                "arn:aws:globalaccelerator::*:accelerator/*",
+                "arn:aws:globalaccelerator::*:accelerator/*/listener/*",
+                "arn:aws:globalaccelerator::*:accelerator/*/listener/*/endpoint-group/*"
+            ],
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                },
+                "StringEquals": {
+                    "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "globalaccelerator:TagResource",
+                "globalaccelerator:UntagResource"
+            ],
+            "Resource": "arn:aws:globalaccelerator::*:accelerator/*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                },
+                "StringEquals": {
+                    "aws:ResourceTag/aga.k8s.aws/resource": "GlobalAccelerator"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "globalaccelerator:TagResource"
+            ],
+            "Resource": "arn:aws:globalaccelerator::*:accelerator/*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                },
+                "StringEquals": {
+                    "aws:RequestTag/aga.k8s.aws/resource": "GlobalAccelerator"
+                }
+            }
+        }
+    ]
+}
@@ -28,6 +28,11 @@ CONTROLLER_IAM_POLICY_FILE="$(dirname "${BASH_SOURCE[0]}")/../docs/install/iam_p
 CONTROLLER_IAM_POLICY_NAME="lb-controller-e2e-${PULL_NUMBER}-$BUILD_ID"
 CONTROLLER_IAM_POLICY_ARN="" # will be fulfilled during setup_controller_iam_sa
 
+# Global Accelerator IAM policy settings
+CONTROLLER_AGA_IAM_POLICY_FILE="$(dirname "${BASH_SOURCE[0]}")/../docs/install/iam_policy_aga.json"
+CONTROLLER_AGA_IAM_POLICY_NAME="lb-controller-aga-e2e-${PULL_NUMBER}-$BUILD_ID"
+CONTROLLER_AGA_IAM_POLICY_ARN="" # will be fulfilled during setup_controller_aga_iam
+
 # Cluster settings
 EKSCTL_VERSION="v0.210.0"
 CLUSTER_NAME="lb-controller-e2e-${PULL_NUMBER}-$BUILD_ID"
@@ -160,16 +165,63 @@ setup_controller_iam_sa() {
   return 0
 }
 
+#######################################
+# Setup Global Accelerator IAM policy for AWS Load Balancer Controller
+#
+# Globals:
+#   AWS_REGION
+#   CLUSTER_NAME
+#   CONTROLLER_SA_NAMESPACE
+#   CONTROLLER_SA_NAME
+#   CONTROLLER_AGA_IAM_POLICY_NAME
+#   CONTROLLER_AGA_IAM_POLICY_FILE
+#   CONTROLLER_AGA_IAM_POLICY_ARN
+# Arguments:
+#   None
+#######################################
+setup_controller_aga_iam() {
+  if [[ -z "${CONTROLLER_AGA_IAM_POLICY_ARN}" ]]; then
+    echo "creating Global Accelerator IAM policy for controller"
+
+    CONTROLLER_AGA_IAM_POLICY_ARN=$(iam::create_policy "${CONTROLLER_AGA_IAM_POLICY_NAME}" "${CONTROLLER_AGA_IAM_POLICY_FILE}" "${AWS_REGION}")
+    if [[ $? -ne 0 ]]; then
+      echo "unable to create Global Accelerator IAM policy for controller" >&2
+      return 1
+    fi
+
+    echo "created Global Accelerator IAM policy for controller: ${CONTROLLER_AGA_IAM_POLICY_ARN}"
+  fi
+
+  if ! eksctl::attach_policy_to_iamserviceaccount "${CLUSTER_NAME}" "${AWS_REGION}" "${CONTROLLER_SA_NAMESPACE}" "${CONTROLLER_SA_NAME}" "${CONTROLLER_AGA_IAM_POLICY_ARN}"; then
+    echo "unable to attach Global Accelerator IAM policy to service account" >&2
+    return 1
+  fi
+
+  return 0
+}
+
 #######################################
 # Cleanup IAM role and Service Account for AWS Load Balancer Controller
 #
 # Globals:
 #   AWS_REGION
 #   CONTROLLER_IAM_POLICY_ARN
+#   CONTROLLER_AGA_IAM_POLICY_ARN
 # Arguments:
 #   None
 #######################################
 cleanup_controller_iam_sa() {
+  if [[ -n "${CONTROLLER_AGA_IAM_POLICY_ARN}" ]]; then
+    echo "deleting Global Accelerator IAM policy for controller"
+
+    if ! iam::delete_policy "${CONTROLLER_AGA_IAM_POLICY_ARN}" "${AWS_REGION}"; then
+      echo "unable to delete Global Accelerator IAM policy for controller" >&2
+      return 1
+    fi
+
+    echo "deleted Global Accelerator IAM policy for controller: ${CONTROLLER_AGA_IAM_POLICY_ARN}"
+  fi
+
   if [[ -n "${CONTROLLER_IAM_POLICY_ARN}" ]]; then
     echo "deleting IAM policy for controller"
 
@@ -212,7 +264,7 @@ test_controller_image() {
   CERTIFICATE_ARNS=${CERTIFICATE_ARNS:-"${CERTIFICATE_ARN_PREFIX}/${CERT_ID1},${CERTIFICATE_ARN_PREFIX}/${CERT_ID2},${CERTIFICATE_ARN_PREFIX}/${CERT_ID3}"}
   echo "creating s3 bucket $S3_BUCKET"
   aws s3api create-bucket --bucket $S3_BUCKET --region $AWS_REGION --create-bucket-configuration LocationConstraint=$AWS_REGION || true
-  ginkgo -timeout 3h -v -r test/e2e -- \
+  ginkgo -timeout 3h -v test/e2e/globalaccelerator -- \
     --kubeconfig=${CLUSTER_KUBECONFIG} \
     --cluster-name=${CLUSTER_NAME} \
     --aws-region=${AWS_REGION} \
@@ -266,6 +318,7 @@ main() {
   trap "cleanup" EXIT
   setup_cluster
   setup_controller_iam_sa
+  setup_controller_aga_iam
   test_controller_image
 }
 
 
@@ -189,3 +189,43 @@ eksctl::create_iamserviceaccount() {
   echo "created cluster SA ${sa_namespace}/${sa_name}"
   return 0
 }
+
+#######################################
+# Attach IAM policy to existing Service Account
+#
+# Globals:
+#   None
+# Arguments:
+#   cluster_name        EKS cluster's name
+#   region              aws region
+#   sa_namespace        namespace of service account
+#   sa_name             name of service account
+#   iam_policy_arn      arn of iam policy to attach
+#
+# sample: eksctl::attach_policy_to_iamserviceaccount awesome-cluster us-west-2 awesome-ns awesome-name arn:aws:iam::xxxxx:policy/xxxxxx
+#######################################
+eksctl::attach_policy_to_iamserviceaccount() {
+  declare -r cluster_name="$1" region="$2" sa_namespace="$3" sa_name="$4" iam_policy_arn="$5"
+
+  echo "attaching policy to cluster SA ${sa_namespace}/${sa_name}"
+  
+  # Get the IAM role ARN associated with the service account
+  local role_arn
+  role_arn=$(kubectl get sa "${sa_name}" -n "${sa_namespace}" -o jsonpath='{.metadata.annotations.eks\.amazonaws\.com/role-arn}')
+  if [[ -z "${role_arn}" ]]; then
+    echo "unable to get IAM role ARN for service account ${sa_namespace}/${sa_name}" >&2
+    return 1
+  fi
+  
+  local role_name
+  role_name=$(echo "${role_arn}" | awk -F'/' '{print $NF}')
+  
+  echo "attaching policy ${iam_policy_arn} to role ${role_name}"
+  if ! aws iam attach-role-policy --region "${region}" --role-name "${role_name}" --policy-arn "${iam_policy_arn}"; then
+    echo "unable to attach policy to role ${role_name}" >&2
+    return 1
+  fi
+
+  echo "attached policy to cluster SA ${sa_namespace}/${sa_name}"
+  return 0
+}