diff --git a/aws-eks/artifacts/cloudformation-template-delegation.yaml b/aws-eks/artifacts/cloudformation-template-delegation.yaml index a00f2f0..51d8e5c 100644 --- a/aws-eks/artifacts/cloudformation-template-delegation.yaml +++ b/aws-eks/artifacts/cloudformation-template-delegation.yaml @@ -1,4 +1,4 @@ -# generated on: 2024-11-26 22:14:04.464466 -0600 CST m=+0.017318959 +# generated on: 2024-11-27 10:52:20.849229 -0600 CST m=+0.012694001 Parameters: RoleName: Type: String @@ -177,11 +177,24 @@ Resources: Resource: "*" Action: - ec2:DeleteNetworkAclEntry + - ecr:UntagResource + - eks:ListAccessEntries + - eks:DescribeAccessEntry + - eks:UpdateAccessEntry - eks:DeleteAddon + - eks:DescribeAddon + - eks:ListAddons - eks:DeleteCluster - eks:DescribeCluster - eks:DeleteNodegroup - eks:DescribeNodegroup + - eks:UntagResource + - eks:ListTagsForResource + - iam:UntagPolicy + - iam:UntagRole + - kms:UntagResource + - logs:UntagResource + - logs:ListTagsForResource - ec2:DeleteInternetGateway - ec2:DeleteLaunchTemplate - ec2:DeleteLaunchTemplateVersions diff --git a/aws-eks/artifacts/cloudformation-template.yaml b/aws-eks/artifacts/cloudformation-template.yaml index 1191170..fee06b9 100644 --- a/aws-eks/artifacts/cloudformation-template.yaml +++ b/aws-eks/artifacts/cloudformation-template.yaml @@ -1,4 +1,4 @@ -# generated on: 2024-11-26 22:14:04.464466 -0600 CST m=+0.017318959 +# generated on: 2024-11-27 10:52:20.849229 -0600 CST m=+0.012694001 Parameters: RoleName: Type: String @@ -190,11 +190,24 @@ Resources: Resource: "*" Action: - ec2:DeleteNetworkAclEntry + - ecr:UntagResource + - eks:ListAccessEntries + - eks:DescribeAccessEntry + - eks:UpdateAccessEntry - eks:DeleteAddon + - eks:DescribeAddon + - eks:ListAddons - eks:DeleteCluster - eks:DescribeCluster - eks:DeleteNodegroup - eks:DescribeNodegroup + - eks:UntagResource + - eks:ListTagsForResource + - iam:UntagPolicy + - iam:UntagRole + - kms:UntagResource + - logs:UntagResource + - logs:ListTagsForResource - ec2:DeleteInternetGateway - ec2:DeleteLaunchTemplate - ec2:DeleteLaunchTemplateVersions diff --git a/aws-eks/artifacts/deprovision.json b/aws-eks/artifacts/deprovision.json index fef9188..8708c76 100644 --- a/aws-eks/artifacts/deprovision.json +++ b/aws-eks/artifacts/deprovision.json @@ -7,11 +7,27 @@ "Resource": "*", "Action": [ "ec2:DeleteNetworkAclEntry", + "ecr:UntagResource", + "eks:ListAccessEntries", + "eks:DeleteAccessEntry", + "eks:DescribeAccessEntry", + "eks:UpdateAccessEntry", + "eks:DisassociateAccessPolicy", "eks:DeleteAddon", + "eks:DescribeAddon", + "eks:ListAddons", + "eks:ListAssociatedAccessPolicies", "eks:DeleteCluster", "eks:DescribeCluster", "eks:DeleteNodegroup", "eks:DescribeNodegroup", + "eks:UntagResource", + "eks:ListTagsForResource", + "iam:UntagPolicy", + "iam:UntagRole", + "kms:UntagResource", + "logs:UntagResource", + "logs:ListTagsForResource", "ec2:DeleteInternetGateway", "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", diff --git a/pkg/sandboxes/aws-eks/iam.go b/pkg/sandboxes/aws-eks/iam.go index 9054f2d..2e6a2ac 100644 --- a/pkg/sandboxes/aws-eks/iam.go +++ b/pkg/sandboxes/aws-eks/iam.go @@ -51,11 +51,27 @@ var ProvisionPolicy = perms.Policy{ // deprovision role permissions specific to this sandbox var DeprovisionPermissions = append([]string{ "ec2:DeleteNetworkAclEntry", + "ecr:UntagResource", + "eks:ListAccessEntries", + "eks:DeleteAccessEntry", + "eks:DescribeAccessEntry", + "eks:UpdateAccessEntry", + "eks:DisassociateAccessPolicy", "eks:DeleteAddon", + "eks:DescribeAddon", + "eks:ListAddons", + "eks:ListAssociatedAccessPolicies", "eks:DeleteCluster", "eks:DescribeCluster", "eks:DeleteNodegroup", "eks:DescribeNodegroup", + "eks:UntagResource", + "eks:ListTagsForResource", + "iam:UntagPolicy", + "iam:UntagRole", + "kms:UntagResource", + "logs:UntagResource", + "logs:ListTagsForResource", }, perms.BaseDeprovisionPermissions...) // Full deprovision role policy for this sandbox