Commit 49efa8c

Kkasuga904bryantbiggs

and

authored

feat: Update EBS CSI IAM policy to match current upstream project (#575)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>

1 parent a787dce commit 49efa8cCopy full SHA for 49efa8c

File tree

6 files changed

+60

-44

lines changed

.pre-commit-config.yaml
examples
- iam-eks-role
  - README.md
  - versions.tf
- iam-role-for-service-accounts-eks
  - README.md
  - versions.tf
modules/iam-role-for-service-accounts-eks
- policies.tf

6 files changed

+60

-44

lines changed

`‎.pre-commit-config.yaml`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`repos:`
`2`	`2`	`- repo: https://github.com/antonbabenko/pre-commit-terraform`
`3`		`- rev: v1.99.1`
	`3`	`+ rev: v1.99.4`
`4`	`4`	`hooks:`
`5`	`5`	`- id: terraform_fmt`
`6`	`6`	`- id: terraform_wrapper_module_for_each`

`‎examples/iam-eks-role/README.md`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
@@ -20,14 +20,14 @@ Run `terraform destroy` when you don't need these resources.
`20`	`20`	`\| Name \| Version \|`
`21`	`21`	`\|------\|---------\|`
`22`	`22`	`\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| >= 1.0 \|`
`23`		`-\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| >= 4.0 \|`
	`23`	`+\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| >= 4.0, < 6.0 \|`
`24`	`24`	`\| <a name="requirement_random"></a> [random](#requirement\_random) \| >= 2.0 \|`
`25`	`25`
`26`	`26`	`## Providers`
`27`	`27`
`28`	`28`	`\| Name \| Version \|`
`29`	`29`	`\|------\|---------\|`
`30`		`-\| <a name="provider_aws"></a> [aws](#provider\_aws) \| >= 4.0 \|`
	`30`	`+\| <a name="provider_aws"></a> [aws](#provider\_aws) \| >= 4.0, < 6.0 \|`
`31`	`31`	`\| <a name="provider_random"></a> [random](#provider\_random) \| >= 2.0 \|`
`32`	`32`
`33`	`33`	`## Modules`

`‎examples/iam-eks-role/versions.tf`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 4.0"`
	`7`	`+ version = ">= 4.0, < 6.0"`
`8`	`8`	`}`
`9`	`9`	`random = {`
`10`	`10`	`source = "hashicorp/random"`

`‎examples/iam-role-for-service-accounts-eks/README.md`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
@@ -20,13 +20,13 @@ Run `terraform destroy` when you don't need these resources.
`20`	`20`	`\| Name \| Version \|`
`21`	`21`	`\|------\|---------\|`
`22`	`22`	`\| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) \| >= 1.0 \|`
`23`		`-\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| >= 4.0 \|`
	`23`	`+\| <a name="requirement_aws"></a> [aws](#requirement\_aws) \| >= 4.0, < 6.0 \|`
`24`	`24`
`25`	`25`	`## Providers`
`26`	`26`
`27`	`27`	`\| Name \| Version \|`
`28`	`28`	`\|------\|---------\|`
`29`		`-\| <a name="provider_aws"></a> [aws](#provider\_aws) \| >= 4.0 \|`
	`29`	`+\| <a name="provider_aws"></a> [aws](#provider\_aws) \| >= 4.0, < 6.0 \|`
`30`	`30`
`31`	`31`	`## Modules`
`32`	`32`

`‎examples/iam-role-for-service-accounts-eks/versions.tf`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 4.0"`
	`7`	`+ version = ">= 4.0, < 6.0"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`

`‎modules/iam-role-for-service-accounts-eks/policies.tf`

Lines changed: 53 additions & 37 deletions

Original file line number	Diff line number	Diff line change
`@@ -188,25 +188,49 @@ data "aws_iam_policy_document" "ebs_csi" {`
`188`	`188`
`189`	`189`	`statement {`
`190`	`190`	`actions = [`
`191`		`- "ec2:CreateSnapshot",`
`192`		`- "ec2:AttachVolume",`
`193`		`- "ec2:DetachVolume",`
`194`		`- "ec2:ModifyVolume",`
`195`	`191`	`"ec2:DescribeAvailabilityZones",`
`196`	`192`	`"ec2:DescribeInstances",`
`197`	`193`	`"ec2:DescribeSnapshots",`
`198`	`194`	`"ec2:DescribeTags",`
`199`	`195`	`"ec2:DescribeVolumes",`
`200`	`196`	`"ec2:DescribeVolumesModifications",`
`201`		`- "ec2:EnableFastSnapshotRestores"`
`202`	`197`	`]`
`203`	`198`
`204`	`199`	`resources = ["*"]`
`205`	`200`	`}`
`206`	`201`
`207`	`202`	`statement {`
`208`		`- actions = ["ec2:CreateTags"]`
	`203`	`+ actions = [`
	`204`	`+ "ec2:CreateSnapshot",`
	`205`	`+ "ec2:ModifyVolume",`
	`206`	`+ ]`
	`207`	`+`
	`208`	`+ resources = ["arn:${local.partition}:ec2:::volume/*"]`
	`209`	`+ }`
	`210`	`+`
	`211`	`+ statement {`
	`212`	`+ actions = [`
	`213`	`+ "ec2:AttachVolume",`
	`214`	`+ "ec2:DetachVolume",`
	`215`	`+ ]`
`209`	`216`
	`217`	`+ resources = [`
	`218`	`+ "arn:${local.partition}:ec2:::volume/*",`
	`219`	`+ "arn:${local.partition}:ec2:::instance/*",`
	`220`	`+ ]`
	`221`	`+ }`
	`222`	`+`
	`223`	`+ statement {`
	`224`	`+ actions = [`
	`225`	`+ "ec2:CreateVolume",`
	`226`	`+ "ec2:EnableFastSnapshotRestores",`
	`227`	`+ ]`
	`228`	`+`
	`229`	`+ resources = ["arn:${local.partition}:ec2:::snapshot/*"]`
	`230`	`+ }`
	`231`	`+`
	`232`	`+ statement {`
	`233`	`+ actions = ["ec2:CreateTags"]`
`210`	`234`	`resources = [`
`211`	`235`	`"arn:${local.partition}:ec2:::volume/*",`
`212`	`236`	`"arn:${local.partition}:ec2:::snapshot/*",`
`@@ -224,7 +248,6 @@ data "aws_iam_policy_document" "ebs_csi" {`
`224`	`248`
`225`	`249`	`statement {`
`226`	`250`	`actions = ["ec2:DeleteTags"]`
`227`		`-`
`228`	`251`	`resources = [`
`229`	`252`	`"arn:${local.partition}:ec2:::volume/*",`
`230`	`253`	`"arn:${local.partition}:ec2:::snapshot/*",`
`@@ -238,9 +261,7 @@ data "aws_iam_policy_document" "ebs_csi" {`
`238`	`261`	`condition {`
`239`	`262`	`test = "StringLike"`
`240`	`263`	`variable = "aws:RequestTag/ebs.csi.aws.com/cluster"`
`241`		`- values = [`
`242`		`- true`
`243`		`- ]`
	`264`	`+ values = ["true"]`
`244`	`265`	`}`
`245`	`266`	`}`
`246`	`267`
`@@ -256,84 +277,79 @@ data "aws_iam_policy_document" "ebs_csi" {`
`256`	`277`	`}`
`257`	`278`
`258`	`279`	`statement {`
`259`		`- actions = ["ec2:CreateVolume"]`
`260`		`- resources = ["*"]`
	`280`	`+ actions = ["ec2:DeleteVolume"]`
	`281`	`+ resources = ["arn:${local.partition}:ec2:::volume/*"]`
`261`	`282`
`262`	`283`	`condition {`
`263`	`284`	`test = "StringLike"`
`264`		`- variable = "aws:RequestTag/kubernetes.io/cluster/*"`
`265`		`- values = ["owned"]`
	`285`	`+ variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"`
	`286`	`+ values = ["true"]`
`266`	`287`	`}`
`267`	`288`	`}`
`268`	`289`
`269`		`- statement {`
`270`		`- actions = ["ec2:CreateVolume"]`
`271`		`- resources = ["arn:${local.partition}:ec2:::snapshot/*"]`
`272`		`- }`
`273`		`-`
`274`	`290`	`statement {`
`275`	`291`	`actions = ["ec2:DeleteVolume"]`
`276`		`- resources = ["*"]`
	`292`	`+ resources = ["arn:${local.partition}:ec2:::volume/*"]`
`277`	`293`
`278`	`294`	`condition {`
`279`	`295`	`test = "StringLike"`
`280`		`- variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"`
`281`		`- values = [true]`
	`296`	`+ variable = "aws:ResourceTag/CSIVolumeName"`
	`297`	`+ values = ["*"]`
`282`	`298`	`}`
`283`	`299`	`}`
`284`	`300`
`285`	`301`	`statement {`
`286`	`302`	`actions = ["ec2:DeleteVolume"]`
`287`		`- resources = ["*"]`
	`303`	`+ resources = ["arn:${local.partition}:ec2:::volume/*"]`
`288`	`304`
`289`	`305`	`condition {`
`290`	`306`	`test = "StringLike"`
`291`		`- variable = "ec2:ResourceTag/CSIVolumeName"`
	`307`	`+ variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"`
`292`	`308`	`values = ["*"]`
`293`	`309`	`}`
`294`	`310`	`}`
`295`	`311`
`296`	`312`	`statement {`
`297`		`- actions = ["ec2:DeleteVolume"]`
`298`		`- resources = ["*"]`
	`313`	`+ actions = ["ec2:CreateSnapshot"]`
	`314`	`+ resources = ["arn:${local.partition}:ec2:::snapshot/*"]`
`299`	`315`
`300`	`316`	`condition {`
`301`	`317`	`test = "StringLike"`
`302`		`- variable = "ec2:ResourceTag/kubernetes.io/cluster/*"`
`303`		`- values = ["owned"]`
	`318`	`+ variable = "aws:RequestTag/CSIVolumeSnapshotName"`
	`319`	`+ values = ["*"]`
`304`	`320`	`}`
`305`	`321`	`}`
`306`	`322`
`307`	`323`	`statement {`
`308`		`- actions = ["ec2:DeleteVolume"]`
`309`		`- resources = ["*"]`
	`324`	`+ actions = ["ec2:CreateSnapshot"]`
	`325`	`+ resources = ["arn:${local.partition}:ec2:::snapshot/*"]`
`310`	`326`
`311`	`327`	`condition {`
`312`	`328`	`test = "StringLike"`
`313`		`- variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"`
`314`		`- values = ["*"]`
	`329`	`+ variable = "aws:RequestTag/ebs.csi.aws.com/cluster"`
	`330`	`+ values = ["true"]`
`315`	`331`	`}`
`316`	`332`	`}`
`317`	`333`
`318`	`334`	`statement {`
`319`	`335`	`actions = ["ec2:DeleteSnapshot"]`
`320`		`- resources = ["*"]`
	`336`	`+ resources = ["arn:${local.partition}:ec2:::snapshot/*"]`
`321`	`337`
`322`	`338`	`condition {`
`323`	`339`	`test = "StringLike"`
`324`		`- variable = "ec2:ResourceTag/CSIVolumeSnapshotName"`
	`340`	`+ variable = "aws:ResourceTag/CSIVolumeSnapshotName"`
`325`	`341`	`values = ["*"]`
`326`	`342`	`}`
`327`	`343`	`}`
`328`	`344`
`329`	`345`	`statement {`
`330`	`346`	`actions = ["ec2:DeleteSnapshot"]`
`331`		`- resources = ["*"]`
	`347`	`+ resources = ["arn:${local.partition}:ec2:::snapshot/*"]`
`332`	`348`
`333`	`349`	`condition {`
`334`	`350`	`test = "StringLike"`
`335`		`- variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"`
`336`		`- values = [true]`
	`351`	`+ variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"`
	`352`	`+ values = ["true"]`
`337`	`353`	`}`
`338`	`354`	`}`
`339`	`355`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 49efa8c

File tree

6 files changed

6 files changed

`‎.pre-commit-config.yaml`

`‎examples/iam-eks-role/README.md`

`‎examples/iam-eks-role/versions.tf`

`‎examples/iam-role-for-service-accounts-eks/README.md`

`‎examples/iam-role-for-service-accounts-eks/versions.tf`

`‎modules/iam-role-for-service-accounts-eks/policies.tf`

0 commit comments