🐛 Make print-policy consistent with print-cloudformation-template

Previously, print-policy claimed to output all policies, but in fact it
missed some policies, because it did not use the code as
print-cloudformation-template. This change makes print-policy use the
same code, making it consistent.

Also, print-policy would not output valid JSON, but rather multiple,
concatenated JSON documents. It now outputs all policies as a valid JSON
object, where the keys are policy names, and the values are the
policies.

Author: dlipovetsky

cmd/clusterawsadm/cloudformation/bootstrap/iam.go

@@ -17,19 +17,14 @@ limitations under the License.
 package bootstrap
 
 import (
-	"fmt"
-	"os"
-	"path"
-
-	"sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/converters"
-	iamv1 "sigs.k8s.io/cluster-api-provider-aws/v2/iam/api/v1beta1"
+	"github.com/awslabs/goformation/v4/cloudformation/iam"
 )
 
 // PolicyName defines the name of a managed IAM policy.
 type PolicyName string
 
 // ManagedIAMPolicyNames slice of managed IAM policies.
-var ManagedIAMPolicyNames = [5]PolicyName{ControllersPolicy, ControllersPolicyEKS, ControlPlanePolicy, NodePolicy, CSIPolicy}
+var ManagedIAMPolicyNames = []PolicyName{ControllersPolicy, ControllersPolicyEKS, ControlPlanePolicy, NodePolicy, CSIPolicy}
 
 // IsValid will check if a given policy name is valid. That is, it will check if the given policy name is
 // one of the ManagedIAMPolicyNames.
@@ -42,49 +37,21 @@ func (p PolicyName) IsValid() bool {
 	return false
 }
 
-// GenerateManagedIAMPolicyDocuments generates JSON representation of policy documents for all ManagedIAMPolicy.
-func (t Template) GenerateManagedIAMPolicyDocuments(policyDocDir string) error {
-	for _, pn := range ManagedIAMPolicyNames {
-		pd := t.GetPolicyDocFromPolicyName(pn)
-
-		pds, err := converters.IAMPolicyDocumentToJSON(*pd)
-		if err != nil {
-			return fmt.Errorf("failed to marshal policy document for ManagedIAMPolicy %q: %w", pn, err)
-		}
+// RenderManagedIAMPolicies returns all the managed IAM Policies that would be rendered by the template.
+func (t Template) RenderManagedIAMPolicies() map[string]*iam.ManagedPolicy {
+	cft := t.RenderCloudFormation()
 
-		fn := path.Join(policyDocDir, fmt.Sprintf("%s.json", pn))
-		err = os.WriteFile(fn, []byte(pds), 0o600)
-		if err != nil {
-			return fmt.Errorf("failed to generate policy document for ManagedIAMPolicy %q: %w", pn, err)
-		}
-	}
-	return nil
+	return cft.GetAllIAMManagedPolicyResources()
 }
 
-func (t Template) policyFunctionMap() map[PolicyName]func() *iamv1.PolicyDocument {
-	return map[PolicyName]func() *iamv1.PolicyDocument{
-		ControlPlanePolicy:   t.cloudProviderControlPlaneAwsPolicy,
-		ControllersPolicy:    t.ControllersPolicy,
-		ControllersPolicyEKS: t.ControllersPolicyEKS,
-		NodePolicy:           t.cloudProviderNodeAwsPolicy,
-		CSIPolicy:            t.csiControllerPolicy,
-	}
-}
+// RenderManagedIAMPolicy returns a specific managed IAM Policy by name, or nil if the policy is not found.
+func (t Template) RenderManagedIAMPolicy(name PolicyName) *iam.ManagedPolicy {
+	cft := t.RenderCloudFormation()
 
-// PrintPolicyDocs prints the JSON representation of policy documents for all ManagedIAMPolicy.
-func (t Template) PrintPolicyDocs() error {
-	for _, name := range ManagedIAMPolicyNames {
-		policyDoc := t.GetPolicyDocFromPolicyName(name)
-		value, err := converters.IAMPolicyDocumentToJSON(*policyDoc)
-		if err != nil {
-			return err
-		}
-		fmt.Println(name, value)
+	p, err := cft.GetIAMManagedPolicyWithName(string(name))
+	if err != nil {
+		// Return error only if the policy is not found.
+		return nil
 	}
-	return nil
-}
-
-// GetPolicyDocFromPolicyName returns a Template's policy document.
-func (t Template) GetPolicyDocFromPolicyName(policyName PolicyName) *iamv1.PolicyDocument {
-	return t.policyFunctionMap()[policyName]()
+	return p
 }

cmd/clusterawsadm/cmd/bootstrap/iam/iam_doc.go

@@ -18,12 +18,13 @@ package iam
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/spf13/cobra"
 	"k8s.io/kubectl/pkg/util/templates"
 
 	"sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/cloudformation/bootstrap"
-	"sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/converters"
+	cmdout "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/printers"
 )
 
 var errInvalidDocumentName = fmt.Errorf("invalid document name, use one of: %+v", bootstrap.ManagedIAMPolicyNames)
@@ -53,31 +54,31 @@ func printPolicyCmd() *cobra.Command {
 		clusterawsadm bootstrap iam print-policy --document AWSIAMManagedPolicyCloudProviderNodes
 
 		# Print out the IAM policy for the Kubernetes AWS EBS CSI Driver Controller.
-		clusterawsadm bootstrap iam print-policy --document AWSEBSCSIPolicyController
+		# Note that this is available only when 'spec.controlPlane.enableCSIPolicy' is set to 'true' in the configuration file.
+		clusterawsadm bootstrap iam print-policy --document AWSEBSCSIPolicyControllerc
 		`),
 		Args: cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			template, err := getBootstrapTemplate(cmd)
+			printer, err := cmdout.New("json", os.Stdout)
 			if err != nil {
-				return err
+				return fmt.Errorf("failed creating output printer: %w", err)
 			}
 
-			policyName, err := getDocumentName(cmd)
+			t, err := getBootstrapTemplate(cmd)
 			if err != nil {
 				return err
 			}
 
-			if policyName == "" {
-				return template.PrintPolicyDocs()
-			}
-
-			policyDocument := template.GetPolicyDocFromPolicyName(policyName)
-			str, err := converters.IAMPolicyDocumentToJSON(*policyDocument)
+			specificPolicyName, err := getPolicyName(cmd)
 			if err != nil {
 				return err
 			}
+			if specificPolicyName != "" {
+				printer.Print(t.RenderManagedIAMPolicy(specificPolicyName))
+				return nil
+			}
 
-			fmt.Println(str)
+			printer.Print(t.RenderManagedIAMPolicies())
 			return nil
 		},
 	}
@@ -86,7 +87,7 @@ func printPolicyCmd() *cobra.Command {
 	return newCmd
 }
 
-func getDocumentName(cmd *cobra.Command) (bootstrap.PolicyName, error) {
+func getPolicyName(cmd *cobra.Command) (bootstrap.PolicyName, error) {
 	val := bootstrap.PolicyName(cmd.Flags().Lookup("document").Value.String())
 
 	if val == "" {