6 files changed, 29 insertions, 10 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java
index 4006d68ba1f..d35f8f00fd1 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/ServiceRegistry.java
@@ -1,7 +1,7 @@
 // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.api.integration;
 
-import com.yahoo.vespa.hosted.controller.api.integration.aws.ApplicationRoleService;
+import com.yahoo.vespa.hosted.controller.api.integration.aws.RoleService;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.AwsEventFetcher;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger;
 import com.yahoo.vespa.hosted.controller.api.integration.billing.BillingController;
@@ -74,7 +74,7 @@ public interface ServiceRegistry {
 
     ResourceTagger resourceTagger();
 
-    ApplicationRoleService applicationRoleService();
+    RoleService roleService();
 
     SystemMonitor systemMonitor();
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopApplicationRoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
index 4842389bccb..81fec1582d0 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopApplicationRoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
@@ -2,16 +2,27 @@
 package com.yahoo.vespa.hosted.controller.api.integration.aws;
 
 import com.yahoo.config.provision.ApplicationId;
+import com.yahoo.config.provision.TenantName;
 
 import java.util.Optional;
 
 /**
  * @author mortent
  */
-public class NoopApplicationRoleService implements ApplicationRoleService {
+public class NoopRoleService implements RoleService {
 
     @Override
     public Optional<ApplicationRoles> createApplicationRoles(ApplicationId applicationId) {
         return Optional.empty();
     }
+
+    @Override
+    public String createTenantRole(TenantName tenant) {
+        return "";
+    }
+
+    @Override
+    public String createTenantPolicy(TenantName tenant, String policyName, String awsId, String role) {
+        return "";
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/ApplicationRoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
index e72ba5823d8..93c86c406b4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/ApplicationRoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
@@ -2,12 +2,19 @@
 package com.yahoo.vespa.hosted.controller.api.integration.aws;
 
 import com.yahoo.config.provision.ApplicationId;
+import com.yahoo.config.provision.TenantName;
 
 import java.util.Optional;
 
 /**
  * @author mortent
  */
-public interface ApplicationRoleService {
+public interface RoleService {
+
     Optional<ApplicationRoles> createApplicationRoles(ApplicationId applicationId);
+
+    String createTenantRole(TenantName tenant);
+
+    String createTenantPolicy(TenantName tenant, String policyName, String awsId, String role);
+
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
index 8447353a869..42ac73a61d9 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
@@ -406,7 +406,7 @@ public class ApplicationController {
                 // Provision application roles if enabled for the zone
                 if (provisionApplicationRoles.with(FetchVector.Dimension.ZONE_ID, zone.value()).value()) {
                     try {
-                        applicationRoles = controller.serviceRegistry().applicationRoleService().createApplicationRoles(instance.id());
+                        applicationRoles = controller.serviceRegistry().roleService().createApplicationRoles(instance.id());
                     } catch (Exception e) {
                         log.log(Level.SEVERE, "Exception creating application roles for application: " + instance.id(), e);
                         throw new RuntimeException("Unable to provision iam roles for application");
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
index 4c9cf4f105f..24b9efc3c77 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
@@ -101,6 +101,7 @@ public class TenantController {
             requireNonExistent(tenantSpec.tenant());
             TenantId.validate(tenantSpec.tenant().value());
             curator.writeTenant(accessControl.createTenant(tenantSpec, controller.clock().instant(), credentials, asList()));
+            controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant());
         }
     }
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
index ae1e2c38e6a..fd0e7c20896 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/integration/ServiceRegistryMock.java
@@ -7,10 +7,10 @@ import com.yahoo.component.AbstractComponent;
 import com.yahoo.config.provision.SystemName;
 import com.yahoo.test.ManualClock;
 import com.yahoo.vespa.hosted.controller.api.integration.ServiceRegistry;
-import com.yahoo.vespa.hosted.controller.api.integration.aws.ApplicationRoleService;
+import com.yahoo.vespa.hosted.controller.api.integration.aws.RoleService;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.MockAwsEventFetcher;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.MockResourceTagger;
-import com.yahoo.vespa.hosted.controller.api.integration.aws.NoopApplicationRoleService;
+import com.yahoo.vespa.hosted.controller.api.integration.aws.NoopRoleService;
 import com.yahoo.vespa.hosted.controller.api.integration.aws.ResourceTagger;
 import com.yahoo.vespa.hosted.controller.api.integration.billing.BillingController;
 import com.yahoo.vespa.hosted.controller.api.integration.billing.MockBillingController;
@@ -58,7 +58,7 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
     private final ApplicationStoreMock applicationStoreMock = new ApplicationStoreMock();
     private final MockRunDataStore mockRunDataStore = new MockRunDataStore();
     private final MockResourceTagger mockResourceTagger = new MockResourceTagger();
-    private final ApplicationRoleService applicationRoleService = new NoopApplicationRoleService();
+    private final RoleService roleService = new NoopRoleService();
     private final BillingController billingController = new MockBillingController();
     private final ContainerRegistryMock containerRegistry = new ContainerRegistryMock();
 
@@ -178,8 +178,8 @@ public class ServiceRegistryMock extends AbstractComponent implements ServiceReg
     }
 
     @Override
-    public ApplicationRoleService applicationRoleService() {
-        return applicationRoleService;
+    public RoleService roleService() {
+        return roleService;
     }
 
     @Override