Skip to content

Commit 3d18d12

Browse files
bryantbiggsbryantbiggs
committed
feat: Align EBS CSI driver poicy with upstream repo
1 parent 768426d commit 3d18d12

File tree

2 files changed

+63
-38
lines changed

2 files changed

+63
-38
lines changed

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
repos:
22
- repo: https://github.com/antonbabenko/pre-commit-terraform
3-
rev: v1.99.1
3+
rev: v1.99.4
44
hooks:
55
- id: terraform_fmt
66
- id: terraform_wrapper_module_for_each

modules/iam-role-for-service-accounts-eks/policies.tf

Lines changed: 62 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -188,34 +188,66 @@ data "aws_iam_policy_document" "ebs_csi" {
188188

189189
statement {
190190
actions = [
191-
"ec2:CreateSnapshot",
192-
"ec2:AttachVolume",
193-
"ec2:DetachVolume",
194-
"ec2:ModifyVolume",
195191
"ec2:DescribeAvailabilityZones",
196192
"ec2:DescribeInstances",
197193
"ec2:DescribeSnapshots",
198194
"ec2:DescribeTags",
199195
"ec2:DescribeVolumes",
200196
"ec2:DescribeVolumesModifications",
201-
"ec2:EnableFastSnapshotRestores"
202197
]
203198

204199
resources = ["*"]
205200
}
206201

207202
statement {
208-
actions = ["ec2:CreateTags"]
203+
actions = [
204+
"ec2:CreateSnapshot",
205+
"ec2:ModifyVolume",
206+
]
207+
208+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
209+
}
210+
211+
statement {
212+
actions = [
213+
"ec2:AttachVolume",
214+
"ec2:DetachVolume",
215+
]
216+
217+
resources = [
218+
"arn:${local.partition}:ec2:*:*:volume/*",
219+
"arn:${local.partition}:ec2:*:*:instance/*",
220+
]
221+
}
222+
223+
statement {
224+
actions = [
225+
"ec2:CreateVolume",
226+
"ec2:EnableFastSnapshotRestores",
227+
]
209228

229+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
230+
}
231+
232+
statement {
233+
actions = ["ec2:CreateTags"]
210234
resources = [
211235
"arn:${local.partition}:ec2:*:*:volume/*",
212236
"arn:${local.partition}:ec2:*:*:snapshot/*",
213237
]
238+
239+
condition {
240+
test = "StringEquals"
241+
variable = "ec2:CreateAction"
242+
values = [
243+
"CreateVolume",
244+
"CreateSnapshot",
245+
]
246+
}
214247
}
215248

216249
statement {
217250
actions = ["ec2:DeleteTags"]
218-
219251
resources = [
220252
"arn:${local.partition}:ec2:*:*:volume/*",
221253
"arn:${local.partition}:ec2:*:*:snapshot/*",
@@ -229,9 +261,7 @@ data "aws_iam_policy_document" "ebs_csi" {
229261
condition {
230262
test = "StringLike"
231263
variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
232-
values = [
233-
true
234-
]
264+
values = ["true"]
235265
}
236266
}
237267

@@ -247,84 +277,79 @@ data "aws_iam_policy_document" "ebs_csi" {
247277
}
248278

249279
statement {
250-
actions = ["ec2:CreateVolume"]
251-
resources = ["*"]
280+
actions = ["ec2:DeleteVolume"]
281+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
252282

253283
condition {
254284
test = "StringLike"
255-
variable = "aws:RequestTag/kubernetes.io/cluster/*"
256-
values = ["owned"]
285+
variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"
286+
values = ["true"]
257287
}
258288
}
259289

260-
statement {
261-
actions = ["ec2:CreateVolume"]
262-
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
263-
}
264-
265290
statement {
266291
actions = ["ec2:DeleteVolume"]
267-
resources = ["*"]
292+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
268293

269294
condition {
270295
test = "StringLike"
271-
variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
272-
values = [true]
296+
variable = "aws:ResourceTag/CSIVolumeName"
297+
values = ["*"]
273298
}
274299
}
275300

276301
statement {
277302
actions = ["ec2:DeleteVolume"]
278-
resources = ["*"]
303+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
279304

280305
condition {
281306
test = "StringLike"
282-
variable = "ec2:ResourceTag/CSIVolumeName"
307+
variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
283308
values = ["*"]
284309
}
285310
}
286311

287312
statement {
288-
actions = ["ec2:DeleteVolume"]
289-
resources = ["*"]
313+
actions = ["ec2:CreateSnapshot"]
314+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
290315

291316
condition {
292317
test = "StringLike"
293-
variable = "ec2:ResourceTag/kubernetes.io/cluster/*"
294-
values = ["owned"]
318+
variable = "aws:RequestTag/CSIVolumeSnapshotName"
319+
values = ["*"]
295320
}
296321
}
297322

298323
statement {
299-
actions = ["ec2:DeleteVolume"]
300-
resources = ["*"]
324+
actions = ["ec2:CreateSnapshot"]
325+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
301326

302327
condition {
303328
test = "StringLike"
304-
variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
305-
values = ["*"]
329+
variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
330+
values = ["true"]
306331
}
307332
}
308333

309334
statement {
310335
actions = ["ec2:DeleteSnapshot"]
311-
resources = ["*"]
336+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
312337

313338
condition {
314339
test = "StringLike"
315-
variable = "ec2:ResourceTag/CSIVolumeSnapshotName"
340+
variable = "aws:ResourceTag/CSIVolumeSnapshotName"
316341
values = ["*"]
317342
}
318343
}
319344

320345
statement {
321346
actions = ["ec2:DeleteSnapshot"]
322-
resources = ["*"]
347+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
323348

324349
condition {
325350
test = "StringLike"
326-
variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
327-
values = [true]
351+
variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"
352+
values = ["true"]
328353
}
329354
}
330355

0 commit comments

Comments
 (0)