diff --git a/iam-policy.json b/iam-policy.json deleted file mode 100644 index 4e34097..0000000 --- a/iam-policy.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSnapshot", - "ec2:AttachVolume", - "ec2:DetachVolume", - "ec2:ModifyVolume", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ], - "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteTags" - ], - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/CSIVolumeName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/kubernetes.io/cluster/*": "owned" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteVolume" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/cluster/*": "owned" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" - } - } - } - ] - } \ No newline at end of file diff --git a/iam.tf b/iam.tf index dea8edd..0c8da55 100644 --- a/iam.tf +++ b/iam.tf @@ -1,6 +1,155 @@ +data "aws_iam_policy_document" "ebs_controller_policy" { + statement { + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:CreateSnapshot", + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + ] + } + + statement { + effect = "Allow" + + resources = [ + "arn:${var.arn_format}:ec2:*:*:volume/*", + "arn:${var.arn_format}:ec2:*:*:snapshot/*", + ] + + actions = ["ec2:CreateTags"] + + condition { + test = "StringEquals" + variable = "ec2:CreateAction" + + values = [ + "CreateVolume", + "CreateSnapshot", + ] + } + } + + statement { + effect = "Allow" + + resources = [ + "arn:${var.arn_format}:ec2:*:*:volume/*", + "arn:${var.arn_format}:ec2:*:*:snapshot/*", + ] + + actions = ["ec2:DeleteTags"] + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/ebs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/CSIVolumeName" + values = ["*"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/kubernetes.io/cluster/*" + values = ["owned"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteVolume"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteVolume"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/CSIVolumeName" + values = ["*"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteVolume"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/kubernetes.io/cluster/*" + values = ["owned"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteSnapshot"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/CSIVolumeSnapshotName" + values = ["*"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteSnapshot"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" + values = ["true"] + } + } +} + + resource "aws_iam_policy" "ebs_controller_policy" { name_prefix = var.ebs_csi_controller_role_policy_name_prefix - policy = file("${path.module}/iam-policy.json") #tfsec:ignore:aws-iam-no-policy-wildcards + policy = data.aws_iam_policy_document.ebs_controller_policy.json tags = var.tags } diff --git a/variables.tf b/variables.tf index 4d608f2..ed0b974 100644 --- a/variables.tf +++ b/variables.tf @@ -189,6 +189,12 @@ variable "controller_csi_snapshotter_resources" { }) } +variable "arn_format" { + type = string + default = "aws" + description = "ARNs identifier, usefull for GovCloud begin with `aws-us-gov`" +} + variable "controller_ebs_plugin_resources" { description = "The controller ebs plugin resources" default = {