Skip to content

Commit

Permalink
feat: aws-eks: update permissions for new terraform (#141)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fidiego
fidiego authored Nov 27, 2024
1 parent 4c0f912 commit 6450a70
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 2 deletions.
15 changes: 14 additions & 1 deletion aws-eks/artifacts/cloudformation-template-delegation.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# generated on: 2024-11-26 22:14:04.464466 -0600 CST m=+0.017318959
# generated on: 2024-11-27 10:52:20.849229 -0600 CST m=+0.012694001
Parameters:
RoleName:
Type: String
Expand Down Expand Up @@ -177,11 +177,24 @@ Resources:
Resource: "*"
Action:
- ec2:DeleteNetworkAclEntry
- ecr:UntagResource
- eks:ListAccessEntries
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:DeleteAddon
- eks:DescribeAddon
- eks:ListAddons
- eks:DeleteCluster
- eks:DescribeCluster
- eks:DeleteNodegroup
- eks:DescribeNodegroup
- eks:UntagResource
- eks:ListTagsForResource
- iam:UntagPolicy
- iam:UntagRole
- kms:UntagResource
- logs:UntagResource
- logs:ListTagsForResource
- ec2:DeleteInternetGateway
- ec2:DeleteLaunchTemplate
- ec2:DeleteLaunchTemplateVersions
Expand Down
15 changes: 14 additions & 1 deletion aws-eks/artifacts/cloudformation-template.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# generated on: 2024-11-26 22:14:04.464466 -0600 CST m=+0.017318959
# generated on: 2024-11-27 10:52:20.849229 -0600 CST m=+0.012694001
Parameters:
RoleName:
Type: String
Expand Down Expand Up @@ -190,11 +190,24 @@ Resources:
Resource: "*"
Action:
- ec2:DeleteNetworkAclEntry
- ecr:UntagResource
- eks:ListAccessEntries
- eks:DescribeAccessEntry
- eks:UpdateAccessEntry
- eks:DeleteAddon
- eks:DescribeAddon
- eks:ListAddons
- eks:DeleteCluster
- eks:DescribeCluster
- eks:DeleteNodegroup
- eks:DescribeNodegroup
- eks:UntagResource
- eks:ListTagsForResource
- iam:UntagPolicy
- iam:UntagRole
- kms:UntagResource
- logs:UntagResource
- logs:ListTagsForResource
- ec2:DeleteInternetGateway
- ec2:DeleteLaunchTemplate
- ec2:DeleteLaunchTemplateVersions
Expand Down
16 changes: 16 additions & 0 deletions aws-eks/artifacts/deprovision.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,27 @@
"Resource": "*",
"Action": [
"ec2:DeleteNetworkAclEntry",
"ecr:UntagResource",
"eks:ListAccessEntries",
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:UpdateAccessEntry",
"eks:DisassociateAccessPolicy",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:ListAddons",
"eks:ListAssociatedAccessPolicies",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:UntagResource",
"eks:ListTagsForResource",
"iam:UntagPolicy",
"iam:UntagRole",
"kms:UntagResource",
"logs:UntagResource",
"logs:ListTagsForResource",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
Expand Down
16 changes: 16 additions & 0 deletions pkg/sandboxes/aws-eks/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,27 @@ var ProvisionPolicy = perms.Policy{
// deprovision role permissions specific to this sandbox
var DeprovisionPermissions = append([]string{
"ec2:DeleteNetworkAclEntry",
"ecr:UntagResource",
"eks:ListAccessEntries",
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:UpdateAccessEntry",
"eks:DisassociateAccessPolicy",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:ListAddons",
"eks:ListAssociatedAccessPolicies",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:UntagResource",
"eks:ListTagsForResource",
"iam:UntagPolicy",
"iam:UntagRole",
"kms:UntagResource",
"logs:UntagResource",
"logs:ListTagsForResource",
}, perms.BaseDeprovisionPermissions...)

// Full deprovision role policy for this sandbox
Expand Down

0 comments on commit 6450a70

Please sign in to comment.