giantswarm/aws-operator

Creating IAM policies should be idempotent

rossf7 opened this issue · 1 comments

Currently creating the master and worker IAM policies is not idempotent. When a cluster is re-processed creating the policy errors.

func (p *Policy) CreateIfNotExists() (bool, error) {
	return false, fmt.Errorf("instance profiles cannot be reused")
}

https://github.com/giantswarm/aws-operator/blob/master/resources/aws/policy.go#L143

For now, we should check if the policy exists before creating it. Later we need to be able to update the IAM policy or recreate it.

Increasing priority as this can break cluster creation. When creating the IAM policies errors the policy name is an empty string. This causes an error when creating the workers launch config as the IAM profile is not set.

{"caller":"github.com/giantswarm/aws-operator/service/create/service.go:493","error":"error processing cluster 'dqnu2': '[{/go/src/github.com/giantswarm/aws-operator/service/create/service.go:974: could not create launch config: '[{/go/src/github.com/giantswarm/aws-operator/service/create/launch_configuration.go:109: } {/go/src/github.com/giantswarm/aws-operator/resources/aws/launch_configuration.go:50: } {/go/src/github.com/giantswarm/aws-operator/resources/aws/launch_configuration.go:90: } {InvalidParameter: 1 validation error(s) found.\n- minimum field size of 1, CreateLaunchConfigurationInput.IamInstanceProfile.\n}]'} {execution failed}]'","time":"17-10-09 16:27:50.664"}

We should detect and ignore the creation error if the IAM policy already exists. As well as ensuring the policy name is set correctly.