github.com/SUSE/skuba@v1.4.17/ci/infra/aws/iam_policies.tf (about) 1 # IAM policies needed by the CPI 2 # The expected policies are defined here: https://github.com/kubernetes/cloud-provider-aws#readme 3 4 locals { 5 aws_iam_instance_profile_master_terraform = "${var.stack_name}_cpi_master" 6 aws_iam_instance_profile_worker_terraform = "${var.stack_name}_cpi_worker" 7 } 8 9 resource "aws_iam_instance_profile" "master" { 10 name = local.aws_iam_instance_profile_master_terraform 11 role = aws_iam_role.master[count.index].name 12 count = length(var.iam_profile_master) == 0 ? 1 : 0 13 } 14 15 resource "aws_iam_role" "master" { 16 name = local.aws_iam_instance_profile_master_terraform 17 description = "IAM role needed by CPI on master nodes" 18 path = "/" 19 count = length(var.iam_profile_master) == 0 ? 1 : 0 20 21 assume_role_policy = <<EOF 22 { 23 "Version": "2012-10-17", 24 "Statement": [ 25 { 26 "Action": "sts:AssumeRole", 27 "Principal": { 28 "Service": "ec2.amazonaws.com" 29 }, 30 "Effect": "Allow", 31 "Sid": "" 32 } 33 ] 34 } 35 EOF 36 } 37 38 resource "aws_iam_role_policy" "master" { 39 name = local.aws_iam_instance_profile_master_terraform 40 role = aws_iam_role.master[count.index].id 41 count = length(var.iam_profile_master) == 0 ? 1 : 0 42 43 policy = <<EOF 44 { 45 "Version": "2012-10-17", 46 "Statement": [ 47 { 48 "Effect": "Allow", 49 "Action": [ 50 "autoscaling:DescribeAutoScalingGroups", 51 "autoscaling:DescribeLaunchConfigurations", 52 "autoscaling:DescribeTags", 53 "ec2:DescribeInstances", 54 "ec2:DescribeRegions", 55 "ec2:DescribeRouteTables", 56 "ec2:DescribeSecurityGroups", 57 "ec2:DescribeSubnets", 58 "ec2:DescribeVolumes", 59 "ec2:CreateSecurityGroup", 60 "ec2:CreateTags", 61 "ec2:CreateVolume", 62 "ec2:ModifyInstanceAttribute", 63 "ec2:ModifyVolume", 64 "ec2:AttachVolume", 65 "ec2:AuthorizeSecurityGroupIngress", 66 "ec2:CreateRoute", 67 "ec2:DeleteRoute", 68 "ec2:DeleteSecurityGroup", 69 "ec2:DeleteVolume", 70 "ec2:DetachVolume", 71 "ec2:RevokeSecurityGroupIngress", 72 "ec2:DescribeVpcs", 73 "elasticloadbalancing:AddTags", 74 "elasticloadbalancing:AttachLoadBalancerToSubnets", 75 "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", 76 "elasticloadbalancing:CreateLoadBalancer", 77 "elasticloadbalancing:CreateLoadBalancerPolicy", 78 "elasticloadbalancing:CreateLoadBalancerListeners", 79 "elasticloadbalancing:ConfigureHealthCheck", 80 "elasticloadbalancing:DeleteLoadBalancer", 81 "elasticloadbalancing:DeleteLoadBalancerListeners", 82 "elasticloadbalancing:DescribeLoadBalancers", 83 "elasticloadbalancing:DescribeLoadBalancerAttributes", 84 "elasticloadbalancing:DetachLoadBalancerFromSubnets", 85 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", 86 "elasticloadbalancing:ModifyLoadBalancerAttributes", 87 "elasticloadbalancing:RegisterInstancesWithLoadBalancer", 88 "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", 89 "elasticloadbalancing:AddTags", 90 "elasticloadbalancing:CreateListener", 91 "elasticloadbalancing:CreateTargetGroup", 92 "elasticloadbalancing:DeleteListener", 93 "elasticloadbalancing:DeleteTargetGroup", 94 "elasticloadbalancing:DescribeListeners", 95 "elasticloadbalancing:DescribeLoadBalancerPolicies", 96 "elasticloadbalancing:DescribeTargetGroups", 97 "elasticloadbalancing:DescribeTargetHealth", 98 "elasticloadbalancing:ModifyListener", 99 "elasticloadbalancing:ModifyTargetGroup", 100 "elasticloadbalancing:RegisterTargets", 101 "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", 102 "iam:CreateServiceLinkedRole", 103 "kms:DescribeKey" 104 ], 105 "Resource": [ 106 "*" 107 ] 108 } 109 ] 110 } 111 EOF 112 } 113 114 resource "aws_iam_instance_profile" "worker" { 115 name = local.aws_iam_instance_profile_worker_terraform 116 role = aws_iam_role.worker[count.index].name 117 count = length(var.iam_profile_worker) == 0 ? 1 : 0 118 } 119 120 resource "aws_iam_role" "worker" { 121 name = local.aws_iam_instance_profile_worker_terraform 122 description = "IAM role needed by CPI on worker nodes" 123 path = "/" 124 count = length(var.iam_profile_worker) == 0 ? 1 : 0 125 126 assume_role_policy = <<EOF 127 { 128 "Version": "2012-10-17", 129 "Statement": [ 130 { 131 "Action": "sts:AssumeRole", 132 "Principal": { 133 "Service": "ec2.amazonaws.com" 134 }, 135 "Effect": "Allow", 136 "Sid": "" 137 } 138 ] 139 } 140 EOF 141 } 142 143 144 resource "aws_iam_role_policy" "worker" { 145 name = local.aws_iam_instance_profile_worker_terraform 146 role = aws_iam_role.worker[count.index].id 147 count = length(var.iam_profile_worker) == 0 ? 1 : 0 148 149 policy = <<EOF 150 { 151 "Version": "2012-10-17", 152 "Statement": [ 153 { 154 "Effect": "Allow", 155 "Action": [ 156 "ec2:DescribeInstances", 157 "ec2:DescribeRegions", 158 "ecr:GetAuthorizationToken", 159 "ecr:BatchCheckLayerAvailability", 160 "ecr:GetDownloadUrlForLayer", 161 "ecr:GetRepositoryPolicy", 162 "ecr:DescribeRepositories", 163 "ecr:ListImages", 164 "ecr:BatchGetImage" 165 ], 166 "Resource": "*" 167 } 168 ] 169 } 170 EOF 171 }