Skip to content

Commit ad78d56

Browse files
bryantbiggsbryantbiggs
committed
feat: Remove permission variable defaults, add updates from upstream issues/PRs
1 parent 77cfbb4 commit ad78d56

File tree

9 files changed

+260
-53
lines changed

9 files changed

+260
-53
lines changed

modules/iam-group/main.tf

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,10 @@ data "aws_iam_policy_document" "this" {
5555
content {
5656
sid = "ViewAccountInfo"
5757
actions = [
58+
"iam:GetAccountSummary",
5859
"iam:GetAccountPasswordPolicy",
59-
"iam:ListVirtualMFADevices"
60+
"iam:ListAccountAliases",
61+
"iam:ListVirtualMFADevices",
6062
]
6163
resources = ["*"]
6264
}
@@ -69,7 +71,9 @@ data "aws_iam_policy_document" "this" {
6971
sid = "ManageOwnPasswords"
7072
actions = [
7173
"iam:ChangePassword",
72-
"iam:GetUser"
74+
"iam:GetLoginProfile",
75+
"iam:GetUser",
76+
"iam:UpdateLoginProfile",
7377
]
7478
resources = local.user_resources
7579
}
@@ -84,7 +88,11 @@ data "aws_iam_policy_document" "this" {
8488
"iam:CreateAccessKey",
8589
"iam:DeleteAccessKey",
8690
"iam:ListAccessKeys",
87-
"iam:UpdateAccessKey"
91+
"iam:UpdateAccessKey",
92+
"iam:GetAccessKeyLastUsed",
93+
"iam:TagUser",
94+
"iam:ListUserTags",
95+
"iam:UntagUser",
8896
]
8997
resources = local.user_resources
9098
}
@@ -168,14 +176,15 @@ data "aws_iam_policy_document" "this" {
168176
content {
169177
sid = "DenyAllExceptListedIfNoMFA"
170178
not_actions = [
171-
"iam:ChangePassword",
172179
"iam:CreateVirtualMFADevice",
173180
"iam:EnableMFADevice",
174181
"iam:GetUser",
182+
"iam:GetMFADevice",
175183
"iam:ListMFADevices",
176184
"iam:ListVirtualMFADevices",
177185
"iam:ResyncMFADevice",
178-
"sts:GetSessionToken"
186+
"sts:GetSessionToken",
187+
"iam:ChangePassword",
179188
]
180189
resources = ["*"]
181190

modules/iam-read-only-policy/main.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ data "aws_iam_policy_document" "this" {
2828
actions = [
2929
"${statement.value}:List*",
3030
"${statement.value}:Get*",
31+
"${statement.value}:BatchGet*",
3132
"${statement.value}:Describe*",
3233
"${statement.value}:View*",
3334
]
@@ -44,6 +45,7 @@ data "aws_iam_policy_document" "this" {
4445
actions = [
4546
"${statement.value}:List*",
4647
"${statement.value}:Get*",
48+
"${statement.value}:BatchGet*",
4749
"${statement.value}:Describe*",
4850
"${statement.value}:View*",
4951
]

modules/iam-role-for-service-accounts/README.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,7 @@ No modules.
164164

165165
| Name | Description | Type | Default | Required |
166166
|------|-------------|------|---------|:--------:|
167-
| <a name="input_amazon_managed_service_prometheus_workspace_arns"></a> [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | <pre>[<br/> "*"<br/>]</pre> | no |
167+
| <a name="input_amazon_managed_service_prometheus_workspace_arns"></a> [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | `[]` | no |
168168
| <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
169169
| <a name="input_attach_amazon_managed_service_prometheus_policy"></a> [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no |
170170
| <a name="input_attach_aws_gateway_controller_policy"></a> [attach\_aws\_gateway\_controller\_policy](#input\_attach\_aws\_gateway\_controller\_policy) | Determines whether to attach the AWS Gateway Controller IAM policy to the role | `bool` | `false` | no |
@@ -183,27 +183,27 @@ No modules.
183183
| <a name="input_attach_node_termination_handler_policy"></a> [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no |
184184
| <a name="input_attach_velero_policy"></a> [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no |
185185
| <a name="input_attach_vpc_cni_policy"></a> [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no |
186-
| <a name="input_cert_manager_hosted_zone_arns"></a> [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` | <pre>[<br/> "arn:aws:route53:::hostedzone/*"<br/>]</pre> | no |
186+
| <a name="input_cert_manager_hosted_zone_arns"></a> [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` | `[]` | no |
187187
| <a name="input_cluster_autoscaler_cluster_names"></a> [cluster\_autoscaler\_cluster\_names](#input\_cluster\_autoscaler\_cluster\_names) | List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no |
188188
| <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
189189
| <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Whether to create an IAM policy that is attached to the IAM role created | `bool` | `true` | no |
190190
| <a name="input_description"></a> [description](#input\_description) | Description of the role | `string` | `null` | no |
191191
| <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
192192
| <a name="input_enable_irsa_v2"></a> [enable\_irsa\_v2](#input\_enable\_irsa\_v2) | Determines whether to add the new IRSAv2 IAM assume role trust policy | `bool` | `false` | no |
193-
| <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | <pre>[<br/> "arn:aws:route53:::hostedzone/*"<br/>]</pre> | no |
194-
| <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br/> "arn:aws:kms:*:*:key/*"<br/>]</pre> | no |
195-
| <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br/> "arn:aws:secretsmanager:*:*:secret:*"<br/>]</pre> | no |
193+
| <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | `[]` | no |
194+
| <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
195+
| <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
196196
| <a name="input_external_secrets_secrets_manager_create_permission"></a> [external\_secrets\_secrets\_manager\_create\_permission](#input\_external\_secrets\_secrets\_manager\_create\_permission) | Determines whether External Secrets may use secretsmanager:CreateSecret | `bool` | `false` | no |
197-
| <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br/> "arn:aws:ssm:*:*:parameter/*"<br/>]</pre> | no |
197+
| <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
198198
| <a name="input_fsx_lustre_csi_service_role_arns"></a> [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | <pre>[<br/> "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"<br/>]</pre> | no |
199199
| <a name="input_fsx_openzfs_csi_service_role_arns"></a> [fsx\_openzfs\_csi\_service\_role\_arns](#input\_fsx\_openzfs\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for OpenZFS CSI create and manage FSX for openzfs service linked roles | `list(string)` | <pre>[<br/> "arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"<br/>]</pre> | no |
200-
| <a name="input_load_balancer_controller_targetgroup_arns"></a> [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` | <pre>[<br/> "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"<br/>]</pre> | no |
200+
| <a name="input_load_balancer_controller_targetgroup_arns"></a> [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` | `[]` | no |
201201
| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | `number` | `null` | no |
202202
| <a name="input_mountpoint_s3_csi_bucket_arns"></a> [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow Mountpoint S3 CSI to list buckets | `list(string)` | `[]` | no |
203203
| <a name="input_mountpoint_s3_csi_kms_arns"></a> [mountpoint\_s3\_csi\_kms\_arns](#input\_mountpoint\_s3\_csi\_kms\_arns) | KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE | `list(string)` | `[]` | no |
204204
| <a name="input_mountpoint_s3_csi_path_arns"></a> [mountpoint\_s3\_csi\_path\_arns](#input\_mountpoint\_s3\_csi\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
205205
| <a name="input_name"></a> [name](#input\_name) | Name to use on IAM role created | `string` | `null` | no |
206-
| <a name="input_node_termination_handler_sqs_queue_arns"></a> [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | <pre>[<br/> "*"<br/>]</pre> | no |
206+
| <a name="input_node_termination_handler_sqs_queue_arns"></a> [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | `[]` | no |
207207
| <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts` | `any` | `{}` | no |
208208
| <a name="input_override_policy_documents"></a> [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
209209
| <a name="input_path"></a> [path](#input\_path) | Path of IAM role | `string` | `"/"` | no |
@@ -216,7 +216,7 @@ No modules.
216216
| <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
217217
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
218218
| <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the IAM role/policy name (`name`/`policy_name`) is used as a prefix | `bool` | `true` | no |
219-
| <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | <pre>[<br/> "*"<br/>]</pre> | no |
219+
| <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | `[]` | no |
220220
| <a name="input_vpc_cni_enable_cloudwatch_logs"></a> [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no |
221221
| <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
222222
| <a name="input_vpc_cni_enable_ipv6"></a> [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |

modules/iam-role-for-service-accounts/variables.tf

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ variable "attach_cert_manager_policy" {
161161
variable "cert_manager_hosted_zone_arns" {
162162
description = "Route53 hosted zone ARNs to allow Cert manager to manage records"
163163
type = list(string)
164-
default = ["arn:aws:route53:::hostedzone/*"]
164+
default = []
165165
}
166166

167167
# Cluster autoscaler
@@ -232,7 +232,7 @@ variable "attach_external_dns_policy" {
232232
variable "external_dns_hosted_zone_arns" {
233233
description = "Route53 hosted zone ARNs to allow External DNS to manage records"
234234
type = list(string)
235-
default = ["arn:aws:route53:::hostedzone/*"]
235+
default = []
236236
}
237237

238238
# External Secrets
@@ -245,19 +245,19 @@ variable "attach_external_secrets_policy" {
245245
variable "external_secrets_ssm_parameter_arns" {
246246
description = "List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets"
247247
type = list(string)
248-
default = ["arn:aws:ssm:*:*:parameter/*"]
248+
default = []
249249
}
250250

251251
variable "external_secrets_secrets_manager_arns" {
252252
description = "List of Secrets Manager ARNs that contain secrets to mount using External Secrets"
253253
type = list(string)
254-
default = ["arn:aws:secretsmanager:*:*:secret:*"]
254+
default = []
255255
}
256256

257257
variable "external_secrets_kms_key_arns" {
258258
description = "List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets"
259259
type = list(string)
260-
default = ["arn:aws:kms:*:*:key/*"]
260+
default = []
261261
}
262262

263263
variable "external_secrets_secrets_manager_create_permission" {
@@ -310,7 +310,7 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" {
310310
variable "load_balancer_controller_targetgroup_arns" {
311311
description = "List of Target groups ARNs using Load Balancer Controller"
312312
type = list(string)
313-
default = ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"]
313+
default = []
314314
}
315315

316316
# Amazon Managed Service for Prometheus
@@ -323,7 +323,7 @@ variable "attach_amazon_managed_service_prometheus_policy" {
323323
variable "amazon_managed_service_prometheus_workspace_arns" {
324324
description = "List of AMP Workspace ARNs to read and write metrics"
325325
type = list(string)
326-
default = ["*"]
326+
default = []
327327
}
328328

329329
# Velero
@@ -336,7 +336,7 @@ variable "attach_velero_policy" {
336336
variable "velero_s3_bucket_arns" {
337337
description = "List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources"
338338
type = list(string)
339-
default = ["*"]
339+
default = []
340340
}
341341

342342
# VPC CNI
@@ -374,7 +374,7 @@ variable "attach_node_termination_handler_policy" {
374374
variable "node_termination_handler_sqs_queue_arns" {
375375
description = "List of SQS ARNs that contain node termination events"
376376
type = list(string)
377-
default = ["*"]
377+
default = []
378378
}
379379

380380
# Amazon CloudWatch Observability

0 commit comments

Comments
 (0)