feat: Update EBS CSI IAM policy to match current upstream project (#575)

Co-authored-by: Bryant Biggs <[email protected]>

Author: Kkasuga904

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.1
+    rev: v1.99.4
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

examples/iam-eks-role/README.md

@@ -20,14 +20,14 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0, < 6.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0, < 6.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules

examples/iam-eks-role/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">= 4.0, < 6.0"
     }
     random = {
       source  = "hashicorp/random"

examples/iam-role-for-service-accounts-eks/README.md

@@ -20,13 +20,13 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0, < 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0, < 6.0 |
 
 ## Modules
 

examples/iam-role-for-service-accounts-eks/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">= 4.0, < 6.0"
     }
   }
 }

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -188,25 +188,49 @@ data "aws_iam_policy_document" "ebs_csi" {
 
   statement {
     actions = [
-      "ec2:CreateSnapshot",
-      "ec2:AttachVolume",
-      "ec2:DetachVolume",
-      "ec2:ModifyVolume",
       "ec2:DescribeAvailabilityZones",
       "ec2:DescribeInstances",
       "ec2:DescribeSnapshots",
       "ec2:DescribeTags",
       "ec2:DescribeVolumes",
       "ec2:DescribeVolumesModifications",
-      "ec2:EnableFastSnapshotRestores"
     ]
 
     resources = ["*"]
   }
 
   statement {
-    actions = ["ec2:CreateTags"]
+    actions = [
+      "ec2:CreateSnapshot",
+      "ec2:ModifyVolume",
+    ]
+
+    resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
+  }
+
+  statement {
+    actions = [
+      "ec2:AttachVolume",
+      "ec2:DetachVolume",
+    ]
 
+    resources = [
+      "arn:${local.partition}:ec2:*:*:volume/*",
+      "arn:${local.partition}:ec2:*:*:instance/*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "ec2:CreateVolume",
+      "ec2:EnableFastSnapshotRestores",
+    ]
+
+    resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
+  }
+
+  statement {
+    actions = ["ec2:CreateTags"]
     resources = [
       "arn:${local.partition}:ec2:*:*:volume/*",
       "arn:${local.partition}:ec2:*:*:snapshot/*",
@@ -224,7 +248,6 @@ data "aws_iam_policy_document" "ebs_csi" {
 
   statement {
     actions = ["ec2:DeleteTags"]
-
     resources = [
       "arn:${local.partition}:ec2:*:*:volume/*",
       "arn:${local.partition}:ec2:*:*:snapshot/*",
@@ -238,9 +261,7 @@ data "aws_iam_policy_document" "ebs_csi" {
     condition {
       test     = "StringLike"
       variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
-      values = [
-        true
-      ]
+      values   = ["true"]
     }
   }
 
@@ -256,84 +277,79 @@ data "aws_iam_policy_document" "ebs_csi" {
   }
 
   statement {
-    actions   = ["ec2:CreateVolume"]
-    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+    resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
 
     condition {
       test     = "StringLike"
-      variable = "aws:RequestTag/kubernetes.io/cluster/*"
-      values   = ["owned"]
+      variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
     }
   }
 
-  statement {
-    actions   = ["ec2:CreateVolume"]
-    resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
-  }
-
   statement {
     actions   = ["ec2:DeleteVolume"]
-    resources = ["*"]
+    resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
-      values   = [true]
+      variable = "aws:ResourceTag/CSIVolumeName"
+      values   = ["*"]
     }
   }
 
   statement {
     actions   = ["ec2:DeleteVolume"]
-    resources = ["*"]
+    resources = ["arn:${local.partition}:ec2:*:*:volume/*"]
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/CSIVolumeName"
+      variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
       values   = ["*"]
     }
   }
 
   statement {
-    actions   = ["ec2:DeleteVolume"]
-    resources = ["*"]
+    actions   = ["ec2:CreateSnapshot"]
+    resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/kubernetes.io/cluster/*"
-      values   = ["owned"]
+      variable = "aws:RequestTag/CSIVolumeSnapshotName"
+      values   = ["*"]
     }
   }
 
   statement {
-    actions   = ["ec2:DeleteVolume"]
-    resources = ["*"]
+    actions   = ["ec2:CreateSnapshot"]
+    resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
-      values   = ["*"]
+      variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
     }
   }
 
   statement {
     actions   = ["ec2:DeleteSnapshot"]
-    resources = ["*"]
+    resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/CSIVolumeSnapshotName"
+      variable = "aws:ResourceTag/CSIVolumeSnapshotName"
       values   = ["*"]
     }
   }
 
   statement {
     actions   = ["ec2:DeleteSnapshot"]
-    resources = ["*"]
+    resources = ["arn:${local.partition}:ec2:*:*:snapshot/*"]
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
-      values   = [true]
+      variable = "aws:ResourceTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
     }
   }