Skip to content

Commit

Permalink
feat: aws-eks: update permissions for new terraform
Browse files Browse the repository at this point in the history
  • Loading branch information
@fidiego
fidiego committed Dec 2, 2024
1 parent 6450a70 commit 6715f0a
Show file tree
Hide file tree
Showing 16 changed files with 641 additions and 343 deletions.
230 changes: 230 additions & 0 deletions aws-ecs-byovpc/artifacts/cloudformation-template-delegation.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
# generated on: 2024-11-27 10:52:20.849138 -0600 CST m=+0.012602251
Parameters:
RoleName:
Type: String
Default: "nuon-aws-ecs-byovpc-install-access"
Description: "Enter a name for the install role"
DelegationRoleARN:
Type: String
Default: ""
Description: "ARN for the role that will be assumed by roles in the trust policy."

Outputs:
RoleARN:
Description: IAM Role ARN
Value: !GetAtt InstallRole.Arn

Resources:

InstallRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Ref: RoleName
Tags:
- Key: "managed-by"
Value: "nuon"
- Key: "nuon-sandbox-type"
Value: "aws-ecs-byovpc"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS: !Ref DelegationRoleARN

ProvisionPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub
- nuon-provision-${RoleName}
- RoleName: !Ref RoleName
Roles:
- !Ref InstallRole
PolicyDocument:
Statement:
- Effect: Allow
Resource: "*"
Action:
- application-autoscaling:*
- ecs:CreateCapacityProvider
- ecs:DescribeCapacityProviders
- ecs:CreateCluster
- ecs:PutClusterCapacityProviders
- ecs:DescribeClusters
- ecs:TagResource
- ecs:ListTagsForResource
- ecs:RegisterTaskDefinition
- ec2:AllocateAddress
- ec2:AssociateRouteTable
- ec2:AttachInternetGateway
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateInternetGateway
- ec2:CreateLaunchTemplate
- ec2:CreateLaunchTemplateVersion
- ec2:CreateNatGateway
- ec2:CreateRoute
- ec2:CreateRouteTable
- ec2:CreateSecurityGroup
- ec2:CreateSubnet
- ec2:CreateTags
- ec2:CreateVpc
- ec2:DescribeAddresses
- ec2:DescribeAvailabilityZones
- ec2:DescribeInternetGateways
- ec2:DescribeLaunchTemplateVersions
- ec2:DescribeLaunchTemplates
- ec2:DescribeNatGateways
- ec2:DescribeNetworkAcls
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroupReferences
- ec2:DescribeSecurityGroupRules
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVpcAttribute
- ec2:DescribeVpcClassicLink
- ec2:DescribeVpcClassicLinkDnsSupport
- ec2:DescribeVpcs
- ec2:ModifyLaunchTemplate
- ec2:ModifySubnetAttribute
- ec2:ModifyVpcAttribute
- ec2:RevokeSecurityGroupEgress
- ec2:RunInstances
- ecr:CreateRepository
- ecr:DescribeRepositories
- ecr:ListTagsForResource
- ecr:TagResource
- iam:AttachRolePolicy
- iam:CreateOpenIDConnectProvider
- iam:CreatePolicy
- iam:CreatePolicyVersion
- iam:CreateRole
- iam:CreateServiceLinkedRole
- iam:GetOpenIDConnectProvider
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetRole
- iam:GetRolePolicy
- iam:ListAttachedRolePolicies
- iam:ListRolePolicies
- iam:PassRole
- iam:PutRolePolicy
- iam:TagOpenIDConnectProvider
- iam:TagPolicy
- iam:TagRole
- iam:UpdateAssumeRolePolicy
- kms:CreateAlias
- kms:CreateGrant
- kms:CreateKey
- kms:DescribeKey
- kms:GetKeyPolicy
- kms:GetKeyRotationStatus
- kms:ListAliases
- kms:ListResourceTags
- kms:PutKeyPolicy
- kms:TagResource
- logs:CreateLogGroup
- logs:DescribeLogGroups
- logs:ListTagsLogGroup
- logs:PutRetentionPolicy
- logs:TagLogGroup
- logs:TagResource
- route53:ChangeResourceRecordSets
- route53:ChangeTagsForResource
- route53:CreateHostedZone
- route53:GetChange
- route53:GetHostedZone
- route53:ListResourceRecordSets
- route53:ListTagsForResource
- s3:GetObject
- s3:ListBucket
- s3:PutObject

DeprovisionPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub
- nuon-deprovision-${RoleName}
- RoleName: !Ref RoleName
Roles:
- !Ref InstallRole
PolicyDocument:
Statement:
- Effect: Allow
Resource: "*"
Action:
- ecs:DeleteCapacityProvider
- ecs:DeleteCluster
- logs:ListTagsForResource
- ec2:DeleteInternetGateway
- ec2:DeleteLaunchTemplate
- ec2:DeleteLaunchTemplateVersions
- ec2:DeleteNatGateway
- ec2:DeleteNetworkInterface
- ec2:DeleteRoute
- ec2:DeleteRouteTable
- ec2:DeleteSecurityGroup
- ec2:DeleteSubnet
- ec2:DeleteTags
- ec2:DeleteVpc
- ec2:DescribeAddresses
- ec2:DescribeInternetGateways
- ec2:DescribeLaunchTemplateVersions
- ec2:DescribeLaunchTemplates
- ec2:DescribeNatGateways
- ec2:DescribeNetworkAcls
- ec2:DescribeNetworkInterfaces
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroupRules
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVpcAttribute
- ec2:DescribeVpcClassicLink
- ec2:DescribeVpcClassicLinkDnsSupport
- ec2:DescribeVpcs
- ec2:DetachInternetGateway
- ec2:DetachNetworkInterface
- ec2:DisassociateAddress
- ec2:DisassociateRouteTable
- ec2:ReleaseAddress
- ec2:RevokeSecurityGroupIngress
- ecr:DeleteRepository
- ecr:DescribeRepositories
- ecr:ListTagsForResource
- iam:DeleteOpenIDConnectProvider
- iam:DeletePolicy
- iam:DeletePolicyVersion
- iam:DeleteRole
- iam:DeleteRolePolicy
- iam:DetachRolePolicy
- iam:GetOpenIDConnectProvider
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetRole
- iam:GetRolePolicy
- iam:ListAttachedRolePolicies
- iam:ListInstanceProfilesForRole
- iam:ListPolicyVersions
- iam:ListRolePolicies
- kms:DeleteAlias
- kms:DescribeKey
- kms:GetKeyPolicy
- kms:GetKeyRotationStatus
- kms:ListAliases
- kms:ListResourceTags
- kms:RetireGrant
- kms:ScheduleKeyDeletion
- logs:DeleteLogGroup
- logs:DescribeLogGroups
- logs:ListTagsLogGroup
- route53:ChangeTagsForResource
- route53:DeleteHostedZone
- route53:GetDNSSEC
- route53:GetHostedZone
- route53:ListResourceRecordSets
- route53:ListTagsForResource
- s3:GetObject
- s3:ListBucket
Loading

0 comments on commit 6715f0a

Please sign in to comment.