Skip to content

Commit 49efa8c

Browse files
feat: Update EBS CSI IAM policy to match current upstream project (#575)
Co-authored-by: Bryant Biggs <[email protected]>
1 parent a787dce commit 49efa8c

File tree

6 files changed

+60
-44
lines changed

6 files changed

+60
-44
lines changed

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
repos:
22
- repo: https://github.com/antonbabenko/pre-commit-terraform
3-
rev: v1.99.1
3+
rev: v1.99.4
44
hooks:
55
- id: terraform_fmt
66
- id: terraform_wrapper_module_for_each

examples/iam-eks-role/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,14 +20,14 @@ Run `terraform destroy` when you don't need these resources.
2020
| Name | Version |
2121
|------|---------|
2222
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
23-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
23+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0, < 6.0 |
2424
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
2525

2626
## Providers
2727

2828
| Name | Version |
2929
|------|---------|
30-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
30+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0, < 6.0 |
3131
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
3232

3333
## Modules

examples/iam-eks-role/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ terraform {
44
required_providers {
55
aws = {
66
source = "hashicorp/aws"
7-
version = ">= 4.0"
7+
version = ">= 4.0, < 6.0"
88
}
99
random = {
1010
source = "hashicorp/random"

examples/iam-role-for-service-accounts-eks/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ Run `terraform destroy` when you don't need these resources.
2020
| Name | Version |
2121
|------|---------|
2222
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
23-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
23+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0, < 6.0 |
2424

2525
## Providers
2626

2727
| Name | Version |
2828
|------|---------|
29-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
29+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0, < 6.0 |
3030

3131
## Modules
3232

examples/iam-role-for-service-accounts-eks/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ terraform {
44
required_providers {
55
aws = {
66
source = "hashicorp/aws"
7-
version = ">= 4.0"
7+
version = ">= 4.0, < 6.0"
88
}
99
}
1010
}

modules/iam-role-for-service-accounts-eks/policies.tf

Lines changed: 53 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -188,25 +188,49 @@ data "aws_iam_policy_document" "ebs_csi" {
188188

189189
statement {
190190
actions = [
191-
"ec2:CreateSnapshot",
192-
"ec2:AttachVolume",
193-
"ec2:DetachVolume",
194-
"ec2:ModifyVolume",
195191
"ec2:DescribeAvailabilityZones",
196192
"ec2:DescribeInstances",
197193
"ec2:DescribeSnapshots",
198194
"ec2:DescribeTags",
199195
"ec2:DescribeVolumes",
200196
"ec2:DescribeVolumesModifications",
201-
"ec2:EnableFastSnapshotRestores"
202197
]
203198

204199
resources = ["*"]
205200
}
206201

207202
statement {
208-
actions = ["ec2:CreateTags"]
203+
actions = [
204+
"ec2:CreateSnapshot",
205+
"ec2:ModifyVolume",
206+
]
207+
208+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
209+
}
210+
211+
statement {
212+
actions = [
213+
"ec2:AttachVolume",
214+
"ec2:DetachVolume",
215+
]
209216

217+
resources = [
218+
"arn:${local.partition}:ec2:*:*:volume/*",
219+
"arn:${local.partition}:ec2:*:*:instance/*",
220+
]
221+
}
222+
223+
statement {
224+
actions = [
225+
"ec2:CreateVolume",
226+
"ec2:EnableFastSnapshotRestores",
227+
]
228+
229+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
230+
}
231+
232+
statement {
233+
actions = ["ec2:CreateTags"]
210234
resources = [
211235
"arn:${local.partition}:ec2:*:*:volume/*",
212236
"arn:${local.partition}:ec2:*:*:snapshot/*",
@@ -224,7 +248,6 @@ data "aws_iam_policy_document" "ebs_csi" {
224248

225249
statement {
226250
actions = ["ec2:DeleteTags"]
227-
228251
resources = [
229252
"arn:${local.partition}:ec2:*:*:volume/*",
230253
"arn:${local.partition}:ec2:*:*:snapshot/*",
@@ -238,9 +261,7 @@ data "aws_iam_policy_document" "ebs_csi" {
238261
condition {
239262
test = "StringLike"
240263
variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
241-
values = [
242-
true
243-
]
264+
values = ["true"]
244265
}
245266
}
246267

@@ -256,84 +277,79 @@ data "aws_iam_policy_document" "ebs_csi" {
256277
}
257278

258279
statement {
259-
actions = ["ec2:CreateVolume"]
260-
resources = ["*"]
280+
actions = ["ec2:DeleteVolume"]
281+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
261282

262283
condition {
263284
test = "StringLike"
264-
variable = "aws:RequestTag/kubernetes.io/cluster/*"
265-
values = ["owned"]
285+
variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"
286+
values = ["true"]
266287
}
267288
}
268289

269-
statement {
270-
actions = ["ec2:CreateVolume"]
271-
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
272-
}
273-
274290
statement {
275291
actions = ["ec2:DeleteVolume"]
276-
resources = ["*"]
292+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
277293

278294
condition {
279295
test = "StringLike"
280-
variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
281-
values = [true]
296+
variable = "aws:ResourceTag/CSIVolumeName"
297+
values = ["*"]
282298
}
283299
}
284300

285301
statement {
286302
actions = ["ec2:DeleteVolume"]
287-
resources = ["*"]
303+
resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
288304

289305
condition {
290306
test = "StringLike"
291-
variable = "ec2:ResourceTag/CSIVolumeName"
307+
variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
292308
values = ["*"]
293309
}
294310
}
295311

296312
statement {
297-
actions = ["ec2:DeleteVolume"]
298-
resources = ["*"]
313+
actions = ["ec2:CreateSnapshot"]
314+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
299315

300316
condition {
301317
test = "StringLike"
302-
variable = "ec2:ResourceTag/kubernetes.io/cluster/*"
303-
values = ["owned"]
318+
variable = "aws:RequestTag/CSIVolumeSnapshotName"
319+
values = ["*"]
304320
}
305321
}
306322

307323
statement {
308-
actions = ["ec2:DeleteVolume"]
309-
resources = ["*"]
324+
actions = ["ec2:CreateSnapshot"]
325+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
310326

311327
condition {
312328
test = "StringLike"
313-
variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
314-
values = ["*"]
329+
variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
330+
values = ["true"]
315331
}
316332
}
317333

318334
statement {
319335
actions = ["ec2:DeleteSnapshot"]
320-
resources = ["*"]
336+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
321337

322338
condition {
323339
test = "StringLike"
324-
variable = "ec2:ResourceTag/CSIVolumeSnapshotName"
340+
variable = "aws:ResourceTag/CSIVolumeSnapshotName"
325341
values = ["*"]
326342
}
327343
}
328344

329345
statement {
330346
actions = ["ec2:DeleteSnapshot"]
331-
resources = ["*"]
347+
resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
332348

333349
condition {
334350
test = "StringLike"
335-
variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
336-
values = [true]
351+
variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"
352+
values = ["true"]
337353
}
338354
}
339355

0 commit comments

Comments
 (0)