From 8159b4d88f8b7e26f9ee93c4df5aa7d1daf01c75 Mon Sep 17 00:00:00 2001
From: Fernando Ripoll <fernando@giantswarm.io>
Date: Tue, 16 Jul 2024 08:27:13 +0200
Subject: [PATCH] Fix root account ID (#112)

* Fix root account id

* Remove unnecesarry var

* Add changelog entry
---
 CHANGELOG.md                               | 9 +++++++++
 README.md                                  | 2 ++
 capa-controller-role/setup.sh              | 1 -
 capa-controller-role/trusted-entities.json | 2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 94e7b63..0f2d72a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - CAPA: add new `mc-bootstrap` policy to `capa-controller` role.
 - Add IAM policy for use with Crossplane AWS provider. The initial permissions are meant to be used with Cilium ENI mode.
 - CAPA: add `autoscaling:CancelInstanceRefresh` permission (needed for `AWSMachinePool` reconciler [improvement](https://github.com/giantswarm/cluster-api-provider-aws/pull/598))
+- Create a CloudFormation stack to manage the IAM policies and roles.
+
+### Changed
+
+- Use a setup script to automate CAPA controller commands.
+
+### Removed
+
+- Remove vintage setup instructions.
 
 ## [3.4.0] - 2024-01-16
 
diff --git a/README.md b/README.md
index 03e4a05..f3a8a41 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,8 @@ chmod +x setup.sh
 ./setup.sh
 ```
 
+__warning__: You may need to modify the `trusted-entities.json` to use `aws-cn` in the `Principal` field when using the China region.
+
 ### Cleanup
 
 ```
diff --git a/capa-controller-role/setup.sh b/capa-controller-role/setup.sh
index c277375..e4f5cfd 100755
--- a/capa-controller-role/setup.sh
+++ b/capa-controller-role/setup.sh
@@ -20,7 +20,6 @@ function echo_fail_or_success {
 }
 
 function create_role {
-  export AWS_ACCOUNT="$(aws sts get-caller-identity --output text --query 'Account')"
   envsubst < ./trusted-entities.json > ${INSTALLATION_NAME}-trusted-entities.json
   aws iam create-role --role-name "${ROLE_NAME}" --description "Giant Swarm managed role for k8s cluster creation" --assume-role-policy-document file://${INSTALLATION_NAME}-trusted-entities.json
   rm -f ${INSTALLATION_NAME}-trusted-entities.json
diff --git a/capa-controller-role/trusted-entities.json b/capa-controller-role/trusted-entities.json
index 8bd4f5b..5d8a645 100644
--- a/capa-controller-role/trusted-entities.json
+++ b/capa-controller-role/trusted-entities.json
@@ -4,7 +4,7 @@
         {
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:*:iam::${AWS_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller"
+                "AWS": "arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller"
             },
             "Action": "sts:AssumeRole",
             "Condition": {}