adding get policy logic

Signed-off-by: suvaanshkumar <[email protected]>

pkg/registration/register/aws_irsa/approver.go

@@ -12,13 +12,13 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
 
+	"github.com/aws/aws-sdk-go-v2/service/eks"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
 	v1 "open-cluster-management.io/api/cluster/v1"
 	clustermanagerv1 "open-cluster-management.io/api/operator/v1"
 	"open-cluster-management.io/ocm/manifests"
 	commonhelpers "open-cluster-management.io/ocm/pkg/common/helpers"
 	"open-cluster-management.io/ocm/pkg/registration/register"
-	"github.com/aws/aws-sdk-go-v2/service/eks"
 )
 
 type AwsIrsaApprover struct {
@@ -123,7 +123,7 @@ func CreateIAMRolesPoliciesAndAccessEntryForAWSIRSA(ctx context.Context, Registr
 		} else {
 			fmt.Printf("Role created successfully: %s\n", *createRoleOutput.Role.Arn)
 		}
-
+		var getPolicyResult *iam.GetPolicyOutput
 		createPolicyResult, err := iamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{
 			PolicyDocument: aws.String(renderedTemplates[0]),
 			PolicyName:     aws.String(roleName),
@@ -134,13 +134,32 @@ func CreateIAMRolesPoliciesAndAccessEntryForAWSIRSA(ctx context.Context, Registr
 				return err
 			} else {
 				log.Printf("Ignore IAM policy creation error as entity already exists")
+				policyArn, err := getPolicyArnByName(iamClient, roleName)
+				if err != nil {
+					log.Fatalf("error retrieving policy ARN: %v", err)
+				}
+				getPolicyResult, err = iamClient.GetPolicy(context.TODO(), &iam.GetPolicyInput{
+					PolicyArn: aws.String(policyArn),
+				})
+				if err != nil {
+					log.Printf("Failed to get IAM Policy: %v\n", err)
+					return err
+				}
 			}
 		} else {
 			fmt.Printf("Policy created successfully: %s\n", *createPolicyResult.Policy.Arn)
 		}
 
+		var policyArn string
+		if getPolicyResult != nil {
+			policyArn = *getRoleOutput.Role.Arn
+		} else {
+			policyArn = *createRoleOutput.Role.Arn
+		}
+
+
 		_, err = iamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{
-			PolicyArn: aws.String(*createPolicyResult.Policy.Arn),
+			PolicyArn: aws.String(policyArn),
 			RoleName:  aws.String(roleName),
 		})
 		if err != nil {
@@ -149,7 +168,7 @@ func CreateIAMRolesPoliciesAndAccessEntryForAWSIRSA(ctx context.Context, Registr
 		}
 
 		// Create Access Entry
-		var principalArn string 
+		var principalArn string
 		if getRoleOutput != nil {
 			principalArn = *getRoleOutput.Role.Arn
 		} else {
@@ -205,3 +224,33 @@ func NewAwsIrsaApprover() (register.Approver, error) {
 	awsIrsaApprover := &AwsIrsaApprover{}
 	return awsIrsaApprover, nil
 }
+
+
+func getPolicyArnByName(client *iam.Client, policyName string) (string, error) {
+	var marker *string
+	for {
+		// List policies in batches
+		output, err := client.ListPolicies(context.TODO(), &iam.ListPoliciesInput{
+			Scope:  "Local", // "Local" for customer-managed policies, "AWS" for AWS-managed
+			Marker: marker,
+		})
+		if err != nil {
+			return "", err
+		}
+
+		// Look for the policy by name
+		for _, policy := range output.Policies {
+			if *policy.PolicyName == policyName {
+				return *policy.Arn, nil
+			}
+		}
+
+		// If there's a next page, continue
+		if output.Marker == nil {
+			break
+		}
+		marker = output.Marker
+	}
+
+	return "", fmt.Errorf("policy %s not found", policyName)
+}