Merge pull request #110 from azafar212/renovate/add-abilitiy-to-deplo…

…y-to-verious-aws-partitions

added ability to deploy into multiple aws partitions by restructuring iam policy

iam.tf

@@ -1,6 +1,155 @@
+data "aws_iam_policy_document" "ebs_controller_policy" {
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "ec2:CreateSnapshot",
+      "ec2:AttachVolume",
+      "ec2:DetachVolume",
+      "ec2:ModifyVolume",
+      "ec2:DescribeAvailabilityZones",
+      "ec2:DescribeInstances",
+      "ec2:DescribeSnapshots",
+      "ec2:DescribeTags",
+      "ec2:DescribeVolumes",
+      "ec2:DescribeVolumesModifications",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "arn:${var.arn_format}:ec2:*:*:volume/*",
+      "arn:${var.arn_format}:ec2:*:*:snapshot/*",
+    ]
+
+    actions = ["ec2:CreateTags"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:CreateAction"
+
+      values = [
+        "CreateVolume",
+        "CreateSnapshot",
+      ]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "arn:${var.arn_format}:ec2:*:*:volume/*",
+      "arn:${var.arn_format}:ec2:*:*:snapshot/*",
+    ]
+
+    actions = ["ec2:DeleteTags"]
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:CreateVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:CreateVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/CSIVolumeName"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:CreateVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/kubernetes.io/cluster/*"
+      values   = ["owned"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/CSIVolumeName"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/kubernetes.io/cluster/*"
+      values   = ["owned"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteSnapshot"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/CSIVolumeSnapshotName"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteSnapshot"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+}
+
+
 resource "aws_iam_policy" "ebs_controller_policy" {
   name_prefix = var.ebs_csi_controller_role_policy_name_prefix
-  policy      = file("${path.module}/iam-policy.json") #tfsec:ignore:aws-iam-no-policy-wildcards
+  policy      = data.aws_iam_policy_document.ebs_controller_policy.json
   tags        = var.tags
 }
 

variables.tf

@@ -189,6 +189,12 @@ variable "controller_csi_snapshotter_resources" {
   })
 }
 
+variable "arn_format" {
+  type        = string
+  default     = "aws"
+  description = "ARNs identifier, usefull for GovCloud begin with `aws-us-gov`"
+}
+
 variable "controller_ebs_plugin_resources" {
   description = "The controller ebs plugin resources"
   default = {