CLD-8753: Add iam policy for nodes (#799)

mattermost · Jan 13, 2025 · 68aa795 · 68aa795
1 parent 55969d3
commit 68aa795
Show file tree

Hide file tree

Showing 4 changed files with 167 additions and 13 deletions.
diff --git a/aws/eks-customer/README.md b/aws/eks-customer/README.md
@@ -40,6 +40,7 @@
 | [aws_eks_addon.snapshot-controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_iam_policy.bifrost](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.external-secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_route53_record.internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_secretsmanager_secret.kubeconfig_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
@@ -77,8 +78,6 @@
 | <a name="input_atlantis_user_arn"></a> [atlantis\_user\_arn](#input\_atlantis\_user\_arn) | The atlantis user arn | `string` | n/a | yes |
 | <a name="input_attach_cluster_encryption_policy"></a> [attach\_cluster\_encryption\_policy](#input\_attach\_cluster\_encryption\_policy) | Indicates whether or not to attach an additional policy for the cluster IAM role to utilize the encryption key provided | `bool` | `false` | no |
 | <a name="input_calico_operator_version"></a> [calico\_operator\_version](#input\_calico\_operator\_version) | The version of the Calico operator | `string` | n/a | yes |
-| <a name="input_cloud_provisioning_ec2_policy_arn"></a> [cloud\_provisioning\_ec2\_policy\_arn](#input\_cloud\_provisioning\_ec2\_policy\_arn) | The cloud provisioning ec2 policy arn to perform ec2 volume operations | `string` | n/a | yes |
-| <a name="input_cloud_provisioning_node_policy_arn"></a> [cloud\_provisioning\_node\_policy\_arn](#input\_cloud\_provisioning\_node\_policy\_arn) | The cloud provisioning node policy arn | `string` | n/a | yes |
 | <a name="input_cluster_enabled_log_types"></a> [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | The list of log types to enable | `list(string)` | n/a | yes |
 | <a name="input_cluster_encryption_config"></a> [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}` | `any` | `{}` | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | n/a | yes |

diff --git a/aws/eks-customer/eks_managed_node-group.tf b/aws/eks-customer/eks_managed_node-group.tf
@@ -33,8 +33,7 @@ module "managed_node_group" {
   instance_types             = each.value.instance_types
 
   iam_role_additional_policies = {
-    cloudProvisioningNode = var.cloud_provisioning_node_policy_arn
-    cloudProvisioningEC2  = var.cloud_provisioning_ec2_policy_arn
+    cloudNode = aws_iam_policy.node.arn
   }
 
   cluster_service_cidr              = module.eks.cluster_service_cidr

diff --git a/aws/eks-customer/eks_policies.tf b/aws/eks-customer/eks_policies.tf
@@ -0,0 +1,156 @@
+resource "aws_iam_policy" "node" {
+  name        = "eks-customer-node-${module.eks.cluster_name}"
+  path        = "/"
+  description = "Policy for eks-customer node."
+
+  policy = <<EOF
+{
+    "Statement": [
+        {
+            "Action": [
+                "s3:ListBucket",
+                "s3:ListBucketVersions",
+                "s3:CreateBucket"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:s3:::cloud-${var.environment}-*"
+            ],
+            "Sid": "AllS3Bucket"
+        },
+        {
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:GetObjectVersion",
+                "s3:DeleteObject*"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:s3:::cloud-${var.environment}-*/*"
+            ],
+            "Sid": "AllS3Object"
+        },
+        {
+            "Action": [
+                "ec2:AttachVolume",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:DescribeInstances",
+                "ec2:DeleteTags",
+                "ec2:DescribeRegions",
+                "ec2:DescribeSnapshots",
+                "ec2:DeleteVolume",
+                "ec2:DescribeVolumeStatus",
+                "ec2:DeleteNetworkInterfacePermission",
+                "ec2:StartInstances",
+                "ec2:CreateNetworkInterfacePermission",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeVolumes",
+                "ec2:DescribeReservedInstances",
+                "ec2:DescribeReservedInstancesListings",
+                "ec2:DescribeInstanceStatus",
+                "ec2:DetachVolume",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:ModifyVolume",
+                "ec2:TerminateInstances",
+                "ec2:DescribeTags",
+                "ec2:CreateTags",
+                "ec2:RunInstances",
+                "ec2:StopInstances",
+                "ec2:DescribeSecurityGroups",
+                "ec2:CreateVolume",
+                "ec2:DescribeLaunchTemplates",
+                "ec2:DescribeLaunchTemplateVersions",
+                "ec2:GetLaunchTemplateData",
+                "ec2:ModifyLaunchTemplate",
+                "ec2:CreateLaunchTemplate",
+                "ec2:CreateLaunchTemplateVersion",
+                "ec2:DeleteLaunchTemplate",
+                "ec2:CreateLaunchTemplateVersion",
+                "ec2:DescribeImages",
+                "ec2:DescribeVpcs",
+                "ec2:AttachNetworkInterface",
+                "ec2:DescribeSubnets",
+                "ec2:ImportKeyPair",
+                "ec2:DeleteKeyPair",
+                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateTargetGroup",
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:DescribeTargetGroups",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeTargetGroupAttributes",
+                "elasticloadbalancing:DescribeListeners",
+                "elasticloadbalancing:DescribeListenerAttributes",
+                "elasticloadbalancing:DescribeTargetHealth",
+                "elasticloadbalancing:DeleteListener",
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:CreateLoadBalancerListeners",
+                "elasticloadbalancing:DeleteLoadBalancer",
+                "elasticloadbalancing:ConfigureHealthCheck",
+                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+                "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:DeleteTargetGroup",
+                "elasticloadbalancing:ModifyTargetGroup",
+                "elasticloadbalancing:ModifyTargetGroupAttributes",
+                "elasticloadbalancing:ModifyListener",
+                "elasticloadbalancing:ModifyListenerAttributes",
+                "autoscaling:CreateLaunchConfiguration",
+                "autoscaling:DescribeTags",
+                "autoscaling:DeleteTags",
+                "autoscaling:DescribeLaunchConfigurations",
+                "autoscaling:CreateAutoScalingGroup",
+                "autoscaling:DeleteLaunchConfiguration",
+                "autoscaling:DeleteAutoScalingGroup",
+                "autoscaling:DescribeScalingActivities",
+                "autoscaling:DescribeAutoScalingGroups",
+                "autoscaling:UpdateAutoScalingGroup",
+                "autoscaling:EnableMetricsCollection",
+                "autoscaling:AttachLoadBalancers",
+                "autoscaling:DetachLoadBalancers",
+                "autoscaling:DescribeLoadBalancers",
+                "autoscaling:DetachInstances",
+                "autoscaling:SuspendProcesses",
+                "autoscaling:TerminateInstanceInAutoScalingGroup",
+                "autoscaling:CreateOrUpdateTags",
+                "autoscaling:DescribeWarmPool",
+                "autoscaling:DescribeAutoscalingInstances",
+                "autoscaling:DescribeLifecycleHooks",
+                "autoscaling:CompleteLifecycleAction",
+                "autoscaling:SetInstanceProtection",
+                "autoscaling:PutLifecycleHook",
+                "autoscaling:DeleteLifecycleHook",
+                "acm:ListCertificates",
+                "acm:ListTagsForCertificate",
+                "sqs:ListQueues",
+                "sqs:CreateQueue",
+                "sqs:TagQueue",
+                "sqs:GetQueueAttributes",
+                "sqs:ListQueueTags",
+                "sqs:DeleteQueue",
+                "events:ListRules",
+                "events:TagResource",
+                "events:PutRule",
+                "events:DescribeRule",
+                "events:ListTagsForResource",
+                "events:DeleteRule",
+                "events:PutTargets",
+                "events:ListTargetsByRule",
+                "events:RemoveTargets",
+                "elasticfilesystem:DescribeMountTargets"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "*"
+            ]
+        }
+    ],
+    "Version": "2012-10-17"
+}
+EOF
+}
diff --git a/aws/eks-customer/variables.tf b/aws/eks-customer/variables.tf
@@ -85,15 +85,15 @@ variable "node_groups" {
   default     = {}
 }
 
-variable "cloud_provisioning_node_policy_arn" {
-  description = "The cloud provisioning node policy arn"
-  type        = string
-}
-
-variable "cloud_provisioning_ec2_policy_arn" {
-  description = "The cloud provisioning ec2 policy arn to perform ec2 volume operations"
-  type        = string
-}
+# variable "cloud_provisioning_node_policy_arn" {
+#   description = "The cloud provisioning node policy arn"
+#   type        = string
+# }
+
+# variable "cloud_provisioning_ec2_policy_arn" {
+#   description = "The cloud provisioning ec2 policy arn to perform ec2 volume operations"
+#   type        = string
+# }
 
 variable "utilities" {
   description = "The list of utilities"