From 6715f0a1687d8b2ef8089f2eeeaefebe36ee4629 Mon Sep 17 00:00:00 2001 From: fidiego Date: Wed, 27 Nov 2024 10:48:11 -0600 Subject: [PATCH] feat: aws-eks: update permissions for new terraform --- .../cloudformation-template-delegation.yaml | 230 ++++++++++++++++++ .../artifacts/cloudformation-template.yaml | 87 +++---- aws-ecs-byovpc/artifacts/deprovision.json | 31 +-- aws-ecs-byovpc/artifacts/provision.json | 214 ++++++++-------- aws-ecs-byovpc/artifacts/trust.json | 18 +- .../cloudformation-template-delegation.yaml | 38 ++- .../artifacts/cloudformation-template.yaml | 38 ++- aws-ecs/artifacts/deprovision.json | 14 +- aws-ecs/artifacts/provision.json | 20 +- aws-eks-byovpc/artifacts/deprovision.json | 36 +-- aws-eks-byovpc/artifacts/provision.json | 223 +++++++++-------- aws-eks-byovpc/artifacts/trust.json | 18 +- aws-eks/artifacts/deprovision.json | 3 - pkg/sandboxes/aws-ecs-byovpc/iam.go | 9 +- pkg/sandboxes/aws-eks/iam.go | 3 - pkg/sandboxes/permissions/trust.go | 2 +- 16 files changed, 641 insertions(+), 343 deletions(-) create mode 100644 aws-ecs-byovpc/artifacts/cloudformation-template-delegation.yaml diff --git a/aws-ecs-byovpc/artifacts/cloudformation-template-delegation.yaml b/aws-ecs-byovpc/artifacts/cloudformation-template-delegation.yaml new file mode 100644 index 0000000..46466b7 --- /dev/null +++ b/aws-ecs-byovpc/artifacts/cloudformation-template-delegation.yaml @@ -0,0 +1,230 @@ +# generated on: 2024-11-27 10:52:20.849138 -0600 CST m=+0.012602251 +Parameters: + RoleName: + Type: String + Default: "nuon-aws-ecs-byovpc-install-access" + Description: "Enter a name for the install role" + DelegationRoleARN: + Type: String + Default: "" + Description: "ARN for the role that will be assumed by roles in the trust policy." + +Outputs: + RoleARN: + Description: IAM Role ARN + Value: !GetAtt InstallRole.Arn + +Resources: + + InstallRole: + Type: AWS::IAM::Role + Properties: + RoleName: + Ref: RoleName + Tags: + - Key: "managed-by" + Value: "nuon" + - Key: "nuon-sandbox-type" + Value: "aws-ecs-byovpc" + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principal: + AWS: !Ref DelegationRoleARN + + ProvisionPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub + - nuon-provision-${RoleName} + - RoleName: !Ref RoleName + Roles: + - !Ref InstallRole + PolicyDocument: + Statement: + - Effect: Allow + Resource: "*" + Action: + - application-autoscaling:* + - ecs:CreateCapacityProvider + - ecs:DescribeCapacityProviders + - ecs:CreateCluster + - ecs:PutClusterCapacityProviders + - ecs:DescribeClusters + - ecs:TagResource + - ecs:ListTagsForResource + - ecs:RegisterTaskDefinition + - ec2:AllocateAddress + - ec2:AssociateRouteTable + - ec2:AttachInternetGateway + - ec2:AuthorizeSecurityGroupEgress + - ec2:AuthorizeSecurityGroupIngress + - ec2:CreateInternetGateway + - ec2:CreateLaunchTemplate + - ec2:CreateLaunchTemplateVersion + - ec2:CreateNatGateway + - ec2:CreateRoute + - ec2:CreateRouteTable + - ec2:CreateSecurityGroup + - ec2:CreateSubnet + - ec2:CreateTags + - ec2:CreateVpc + - ec2:DescribeAddresses + - ec2:DescribeAvailabilityZones + - ec2:DescribeInternetGateways + - ec2:DescribeLaunchTemplateVersions + - ec2:DescribeLaunchTemplates + - ec2:DescribeNatGateways + - ec2:DescribeNetworkAcls + - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroupReferences + - ec2:DescribeSecurityGroupRules + - ec2:DescribeSecurityGroups + - ec2:DescribeSubnets + - ec2:DescribeTags + - ec2:DescribeVpcAttribute + - ec2:DescribeVpcClassicLink + - ec2:DescribeVpcClassicLinkDnsSupport + - ec2:DescribeVpcs + - ec2:ModifyLaunchTemplate + - ec2:ModifySubnetAttribute + - ec2:ModifyVpcAttribute + - ec2:RevokeSecurityGroupEgress + - ec2:RunInstances + - ecr:CreateRepository + - ecr:DescribeRepositories + - ecr:ListTagsForResource + - ecr:TagResource + - iam:AttachRolePolicy + - iam:CreateOpenIDConnectProvider + - iam:CreatePolicy + - iam:CreatePolicyVersion + - iam:CreateRole + - iam:CreateServiceLinkedRole + - iam:GetOpenIDConnectProvider + - iam:GetPolicy + - iam:GetPolicyVersion + - iam:GetRole + - iam:GetRolePolicy + - iam:ListAttachedRolePolicies + - iam:ListRolePolicies + - iam:PassRole + - iam:PutRolePolicy + - iam:TagOpenIDConnectProvider + - iam:TagPolicy + - iam:TagRole + - iam:UpdateAssumeRolePolicy + - kms:CreateAlias + - kms:CreateGrant + - kms:CreateKey + - kms:DescribeKey + - kms:GetKeyPolicy + - kms:GetKeyRotationStatus + - kms:ListAliases + - kms:ListResourceTags + - kms:PutKeyPolicy + - kms:TagResource + - logs:CreateLogGroup + - logs:DescribeLogGroups + - logs:ListTagsLogGroup + - logs:PutRetentionPolicy + - logs:TagLogGroup + - logs:TagResource + - route53:ChangeResourceRecordSets + - route53:ChangeTagsForResource + - route53:CreateHostedZone + - route53:GetChange + - route53:GetHostedZone + - route53:ListResourceRecordSets + - route53:ListTagsForResource + - s3:GetObject + - s3:ListBucket + - s3:PutObject + + DeprovisionPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub + - nuon-deprovision-${RoleName} + - RoleName: !Ref RoleName + Roles: + - !Ref InstallRole + PolicyDocument: + Statement: + - Effect: Allow + Resource: "*" + Action: + - ecs:DeleteCapacityProvider + - ecs:DeleteCluster + - logs:ListTagsForResource + - ec2:DeleteInternetGateway + - ec2:DeleteLaunchTemplate + - ec2:DeleteLaunchTemplateVersions + - ec2:DeleteNatGateway + - ec2:DeleteNetworkInterface + - ec2:DeleteRoute + - ec2:DeleteRouteTable + - ec2:DeleteSecurityGroup + - ec2:DeleteSubnet + - ec2:DeleteTags + - ec2:DeleteVpc + - ec2:DescribeAddresses + - ec2:DescribeInternetGateways + - ec2:DescribeLaunchTemplateVersions + - ec2:DescribeLaunchTemplates + - ec2:DescribeNatGateways + - ec2:DescribeNetworkAcls + - ec2:DescribeNetworkInterfaces + - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroupRules + - ec2:DescribeSecurityGroups + - ec2:DescribeSubnets + - ec2:DescribeTags + - ec2:DescribeVpcAttribute + - ec2:DescribeVpcClassicLink + - ec2:DescribeVpcClassicLinkDnsSupport + - ec2:DescribeVpcs + - ec2:DetachInternetGateway + - ec2:DetachNetworkInterface + - ec2:DisassociateAddress + - ec2:DisassociateRouteTable + - ec2:ReleaseAddress + - ec2:RevokeSecurityGroupIngress + - ecr:DeleteRepository + - ecr:DescribeRepositories + - ecr:ListTagsForResource + - iam:DeleteOpenIDConnectProvider + - iam:DeletePolicy + - iam:DeletePolicyVersion + - iam:DeleteRole + - iam:DeleteRolePolicy + - iam:DetachRolePolicy + - iam:GetOpenIDConnectProvider + - iam:GetPolicy + - iam:GetPolicyVersion + - iam:GetRole + - iam:GetRolePolicy + - iam:ListAttachedRolePolicies + - iam:ListInstanceProfilesForRole + - iam:ListPolicyVersions + - iam:ListRolePolicies + - kms:DeleteAlias + - kms:DescribeKey + - kms:GetKeyPolicy + - kms:GetKeyRotationStatus + - kms:ListAliases + - kms:ListResourceTags + - kms:RetireGrant + - kms:ScheduleKeyDeletion + - logs:DeleteLogGroup + - logs:DescribeLogGroups + - logs:ListTagsLogGroup + - route53:ChangeTagsForResource + - route53:DeleteHostedZone + - route53:GetDNSSEC + - route53:GetHostedZone + - route53:ListResourceRecordSets + - route53:ListTagsForResource + - s3:GetObject + - s3:ListBucket diff --git a/aws-ecs-byovpc/artifacts/cloudformation-template.yaml b/aws-ecs-byovpc/artifacts/cloudformation-template.yaml index 4f936df..08a3c04 100644 --- a/aws-ecs-byovpc/artifacts/cloudformation-template.yaml +++ b/aws-ecs-byovpc/artifacts/cloudformation-template.yaml @@ -1,3 +1,4 @@ +# generated on: 2024-11-27 10:52:20.849138 -0600 CST m=+0.012602251 Parameters: RoleName: Type: String @@ -10,6 +11,7 @@ Outputs: Value: !GetAtt InstallRole.Arn Resources: + InstallRole: Type: AWS::IAM::Role Properties: @@ -23,21 +25,27 @@ Resources: AssumeRolePolicyDocument: Statement: - Effect: Allow - Action: sts:AssumeRole Principal: AWS: arn:aws:iam::676549690856:root + Action: + - sts:AssumeRole - Effect: Allow - Action: sts:AssumeRole Principal: AWS: arn:aws:iam::007754799877:root + Action: + - sts:AssumeRole - Effect: Allow - Action: sts:AssumeRole Principal: AWS: arn:aws:iam::814326426574:root + Action: + - sts:AssumeRole - Effect: Allow - Action: sts:AssumeRole Principal: AWS: arn:aws:iam::766121324316:root + Action: + - sts:AssumeRole + + ProvisionPolicy: Type: AWS::IAM::Policy Properties: @@ -49,18 +57,25 @@ Resources: PolicyDocument: Statement: - Effect: Allow - Action: + Resource: "*" + Action: + - application-autoscaling:* + - ecs:CreateCapacityProvider + - ecs:DescribeCapacityProviders + - ecs:CreateCluster + - ecs:PutClusterCapacityProviders + - ecs:DescribeClusters + - ecs:TagResource + - ecs:ListTagsForResource + - ecs:RegisterTaskDefinition - ec2:AllocateAddress - ec2:AssociateRouteTable - ec2:AttachInternetGateway - ec2:AuthorizeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress - - ec2:AuthorizeSecurityGroupIngress - - ec2:DescribeAvailabilityZones - - ec2:DescribeSecurityGroupReferences - - ec2:DescribeSecurityGroupRules - - ec2:DescribeSecurityGroups - ec2:CreateInternetGateway + - ec2:CreateLaunchTemplate + - ec2:CreateLaunchTemplateVersion - ec2:CreateNatGateway - ec2:CreateRoute - ec2:CreateRouteTable @@ -68,16 +83,16 @@ Resources: - ec2:CreateSubnet - ec2:CreateTags - ec2:CreateVpc - - ec2:CreateLaunchTemplateVersion - - ec2:CreateLaunchTemplate - ec2:DescribeAddresses - - ec2:DescribeAddressesAttribute + - ec2:DescribeAvailabilityZones - ec2:DescribeInternetGateways - ec2:DescribeLaunchTemplateVersions - ec2:DescribeLaunchTemplates - ec2:DescribeNatGateways - ec2:DescribeNetworkAcls - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroupReferences + - ec2:DescribeSecurityGroupRules - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeTags @@ -85,26 +100,17 @@ Resources: - ec2:DescribeVpcClassicLink - ec2:DescribeVpcClassicLinkDnsSupport - ec2:DescribeVpcs + - ec2:ModifyLaunchTemplate - ec2:ModifySubnetAttribute - ec2:ModifyVpcAttribute - - ec2:ModifyLaunchTemplate - ec2:RevokeSecurityGroupEgress - ec2:RunInstances - - ecs:CreateCluster - - ecs:ListTagsForResource - - ecs:TagResource - - ecs:DescribeClusters - - ecs:DescribeCapacityProviders - - ecs:CreateCapacityProvider - - ecs:PutClusterCapacityProviders - ecr:CreateRepository - ecr:DescribeRepositories - ecr:ListTagsForResource - ecr:TagResource - iam:AttachRolePolicy - iam:CreateOpenIDConnectProvider - - iam:UpdateAssumeRolePolicy - - iam:TagOpenIDConnectProvider - iam:CreatePolicy - iam:CreatePolicyVersion - iam:CreateRole @@ -118,8 +124,10 @@ Resources: - iam:ListRolePolicies - iam:PassRole - iam:PutRolePolicy + - iam:TagOpenIDConnectProvider - iam:TagPolicy - iam:TagRole + - iam:UpdateAssumeRolePolicy - kms:CreateAlias - kms:CreateGrant - kms:CreateKey @@ -131,25 +139,21 @@ Resources: - kms:PutKeyPolicy - kms:TagResource - logs:CreateLogGroup - - logs:TagLogGroup - logs:DescribeLogGroups - logs:ListTagsLogGroup - logs:PutRetentionPolicy + - logs:TagLogGroup - logs:TagResource - - logs:ListTagsForResource + - route53:ChangeResourceRecordSets - route53:ChangeTagsForResource - route53:CreateHostedZone - route53:GetChange - route53:GetHostedZone - route53:ListResourceRecordSets - route53:ListTagsForResource - - route53:ChangeResourceRecordSets - s3:GetObject - s3:ListBucket - s3:PutObject - - ecs:* - - application-autoscaling:* - Resource: "*" DeprovisionPolicy: Type: AWS::IAM::Policy @@ -162,22 +166,28 @@ Resources: PolicyDocument: Statement: - Effect: Allow - Action: + Resource: "*" + Action: + - ecs:DeleteCapacityProvider + - ecs:DeleteCluster + - logs:ListTagsForResource - ec2:DeleteInternetGateway - - ec2:DeleteVpc + - ec2:DeleteLaunchTemplate + - ec2:DeleteLaunchTemplateVersions - ec2:DeleteNatGateway + - ec2:DeleteNetworkInterface - ec2:DeleteRoute - ec2:DeleteRouteTable + - ec2:DeleteSecurityGroup - ec2:DeleteSubnet - ec2:DeleteTags + - ec2:DeleteVpc - ec2:DescribeAddresses - ec2:DescribeInternetGateways - ec2:DescribeLaunchTemplateVersions - ec2:DescribeLaunchTemplates - ec2:DescribeNatGateways - ec2:DescribeNetworkAcls - - ec2:DeleteNetworkInterface - - ec2:DetachNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DescribeRouteTables - ec2:DescribeSecurityGroupRules @@ -189,17 +199,14 @@ Resources: - ec2:DescribeVpcClassicLinkDnsSupport - ec2:DescribeVpcs - ec2:DetachInternetGateway + - ec2:DetachNetworkInterface - ec2:DisassociateAddress - ec2:DisassociateRouteTable - - ec2:DeleteLaunchTemplate - - ec2:DeleteLaunchTemplateVersions - ec2:ReleaseAddress - ec2:RevokeSecurityGroupIngress - ecr:DeleteRepository - ecr:DescribeRepositories - ecr:ListTagsForResource - - ecs:DeleteCluster - - ecs:DeleteCapacityProvider - iam:DeleteOpenIDConnectProvider - iam:DeletePolicy - iam:DeletePolicyVersion @@ -221,18 +228,16 @@ Resources: - kms:GetKeyRotationStatus - kms:ListAliases - kms:ListResourceTags + - kms:RetireGrant - kms:ScheduleKeyDeletion - logs:DeleteLogGroup - logs:DescribeLogGroups - logs:ListTagsLogGroup + - route53:ChangeTagsForResource - route53:DeleteHostedZone - route53:GetDNSSEC - route53:GetHostedZone - route53:ListResourceRecordSets - route53:ListTagsForResource - - route53:ChangeTagsForResource - s3:GetObject - s3:ListBucket - - kms:RetireGrant - - ec2:DeleteSecurityGroup - Resource: "*" diff --git a/aws-ecs-byovpc/artifacts/deprovision.json b/aws-ecs-byovpc/artifacts/deprovision.json index f4610d1..e736241 100644 --- a/aws-ecs-byovpc/artifacts/deprovision.json +++ b/aws-ecs-byovpc/artifacts/deprovision.json @@ -2,23 +2,30 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "", "Effect": "Allow", + "Resource": "*", "Action": [ + "ecs:DeleteCapacityProvider", + "ecs:DeleteCluster", + "logs:ListTagsForResource", "ec2:DeleteInternetGateway", - "ec2:DeleteVpc", + "ec2:DeleteLaunchTemplate", + "ec2:DeleteLaunchTemplateVersions", "ec2:DeleteNatGateway", + "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTags", + "ec2:DeleteVpc", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", - "ec2:DeleteNetworkInterface", - "ec2:DetachNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", @@ -30,17 +37,14 @@ "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", + "ec2:DetachNetworkInterface", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupIngress", "ecr:DeleteRepository", "ecr:DescribeRepositories", "ecr:ListTagsForResource", - "ecs:DeleteCluster", - "ecs:DeleteCapacityProvider", "iam:DeleteOpenIDConnectProvider", "iam:DeletePolicy", "iam:DeletePolicyVersion", @@ -62,23 +66,20 @@ "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListResourceTags", + "kms:RetireGrant", "kms:ScheduleKeyDeletion", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", + "route53:ChangeTagsForResource", "route53:DeleteHostedZone", "route53:GetDNSSEC", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListTagsForResource", - "route53:ChangeTagsForResource", "s3:GetObject", - "s3:ListBucket", - "kms:RetireGrant", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*" + "s3:ListBucket" + ] } ] -} - +} \ No newline at end of file diff --git a/aws-ecs-byovpc/artifacts/provision.json b/aws-ecs-byovpc/artifacts/provision.json index 8709124..f13568b 100644 --- a/aws-ecs-byovpc/artifacts/provision.json +++ b/aws-ecs-byovpc/artifacts/provision.json @@ -1,109 +1,107 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:DescribeAvailabilityZones", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateLaunchTemplate", - "ec2:DescribeAddresses", - "ec2:DescribeInternetGateways", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcs", - "ec2:DescribeAvailabilityZones", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ModifyLaunchTemplate", - "ec2:RevokeSecurityGroupEgress", - "ec2:RunInstances", - "ecs:CreateCluster", - "ecs:ListTagsForResource", - "ecs:TagResource", - "ecs:DescribeClusters", - "ecs:DescribeCapacityProviders", - "ecs:CreateCapacityProvider", - "ecs:PutClusterCapacityProviders", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:ListTagsForResource", - "ecr:TagResource", - "iam:AttachRolePolicy", - "iam:CreateOpenIDConnectProvider", - "iam:UpdateAssumeRolePolicy", - "iam:TagOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:TagPolicy", - "iam:TagRole", - "kms:CreateAlias", - "kms:CreateGrant", - "kms:CreateKey", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:TagResource", - "logs:CreateLogGroup", - "logs:TagLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "logs:PutRetentionPolicy", - "logs:TagResource", - "route53:ChangeTagsForResource", - "route53:CreateHostedZone", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "route53:ChangeResourceRecordSets", - "s3:GetObject", - "s3:ListBucket", - "ecs:*", - "application-autoscaling:*", - "s3:PutObject" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "application-autoscaling:*", + "ecs:CreateCapacityProvider", + "ecs:DescribeCapacityProviders", + "ecs:CreateCluster", + "ecs:PutClusterCapacityProviders", + "ecs:DescribeClusters", + "ecs:TagResource", + "ecs:ListTagsForResource", + "ecs:RegisterTaskDefinition", + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateNatGateway", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroupReferences", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:ModifyLaunchTemplate", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:ListTagsForResource", + "ecr:TagResource", + "iam:AttachRolePolicy", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:TagOpenIDConnectProvider", + "iam:TagPolicy", + "iam:TagRole", + "iam:UpdateAssumeRolePolicy", + "kms:CreateAlias", + "kms:CreateGrant", + "kms:CreateKey", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:TagResource", + "logs:CreateLogGroup", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", + "logs:PutRetentionPolicy", + "logs:TagLogGroup", + "logs:TagResource", + "route53:ChangeResourceRecordSets", + "route53:ChangeTagsForResource", + "route53:CreateHostedZone", + "route53:GetChange", + "route53:GetHostedZone", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ] + } + ] +} \ No newline at end of file diff --git a/aws-ecs-byovpc/artifacts/trust.json b/aws-ecs-byovpc/artifacts/trust.json index 472dffb..0c71661 100644 --- a/aws-ecs-byovpc/artifacts/trust.json +++ b/aws-ecs-byovpc/artifacts/trust.json @@ -7,7 +7,9 @@ "Principal": { "AWS": "arn:aws:iam::676549690856:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] }, { "Sid": "", @@ -15,7 +17,9 @@ "Principal": { "AWS": "arn:aws:iam::007754799877:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] }, { "Sid": "", @@ -23,7 +27,9 @@ "Principal": { "AWS": "arn:aws:iam::814326426574:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] }, { "Sid": "", @@ -31,7 +37,9 @@ "Principal": { "AWS": "arn:aws:iam::766121324316:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] } ] -} +} \ No newline at end of file diff --git a/aws-ecs/artifacts/cloudformation-template-delegation.yaml b/aws-ecs/artifacts/cloudformation-template-delegation.yaml index 7516660..f5d386b 100644 --- a/aws-ecs/artifacts/cloudformation-template-delegation.yaml +++ b/aws-ecs/artifacts/cloudformation-template-delegation.yaml @@ -1,4 +1,4 @@ -# generated on: 2024-11-25 14:44:46.123408 -0600 CST m=+0.017508709 +# generated on: 2024-11-27 10:52:20.849215 -0600 CST m=+0.012679293 Parameters: RoleName: Type: String @@ -47,22 +47,31 @@ Resources: Resource: "*" Action: - application-autoscaling:* + - ec2:DescribeAddressesAttribute - ec2:CreateNetworkAclEntry - ec2:DeleteNetworkAclEntry - - ec2:DescribeAddressesAttribute - ecs:CreateCapacityProvider - - ecs:CreateCluster - ecs:DescribeCapacityProviders - - ecs:DescribeClusters - - ecs:ListTagsForResource + - ecs:CreateCluster - ecs:PutClusterCapacityProviders + - ecs:DescribeClusters - ecs:TagResource + - ecs:CreateService + - ecs:DeleteService + - ecs:UpdateService + - ecs:DescribeServices + - ecs:ListServices + - ecs:ListTagsForResource + - ecs:DeregisterTaskDefinition + - ecs:DescribeTaskDefinition + - ecs:RegisterTaskDefinition + - ecs:ListTaskDefinitions - logs:ListTagsForResource - - rds:AddTagsToResource - rds:CreateDBSubnetGroup - rds:DeleteDBSubnetGroup - rds:DescribeDBSubnetGroups - rds:ListTagsForResource + - rds:AddTagsToResource - ec2:AllocateAddress - ec2:AssociateRouteTable - ec2:AttachInternetGateway @@ -163,9 +172,26 @@ Resources: - Effect: Allow Resource: "*" Action: + - application-autoscaling:* + - ec2:DescribeAddressesAttribute + - ec2:DeleteNetworkAclEntry - ecs:DeleteCapacityProvider + - ecs:DescribeCapacityProviders - ecs:DeleteCluster + - ecs:DescribeClusters + - ecs:UntagResource + - ecs:DeleteService + - ecs:UpdateService + - ecs:DescribeServices + - ecs:ListServices + - ecs:ListTagsForResource + - ecs:DeregisterTaskDefinition + - ecs:DescribeTaskDefinition + - ecs:ListTaskDefinitions - logs:ListTagsForResource + - rds:DeleteDBSubnetGroup + - rds:DescribeDBSubnetGroups + - rds:ListTagsForResource - ec2:DeleteInternetGateway - ec2:DeleteLaunchTemplate - ec2:DeleteLaunchTemplateVersions diff --git a/aws-ecs/artifacts/cloudformation-template.yaml b/aws-ecs/artifacts/cloudformation-template.yaml index d051fe6..0bfcc89 100644 --- a/aws-ecs/artifacts/cloudformation-template.yaml +++ b/aws-ecs/artifacts/cloudformation-template.yaml @@ -1,4 +1,4 @@ -# generated on: 2024-11-25 14:44:46.123408 -0600 CST m=+0.017508709 +# generated on: 2024-11-27 10:52:20.849215 -0600 CST m=+0.012679293 Parameters: RoleName: Type: String @@ -60,22 +60,31 @@ Resources: Resource: "*" Action: - application-autoscaling:* + - ec2:DescribeAddressesAttribute - ec2:CreateNetworkAclEntry - ec2:DeleteNetworkAclEntry - - ec2:DescribeAddressesAttribute - ecs:CreateCapacityProvider - - ecs:CreateCluster - ecs:DescribeCapacityProviders - - ecs:DescribeClusters - - ecs:ListTagsForResource + - ecs:CreateCluster - ecs:PutClusterCapacityProviders + - ecs:DescribeClusters - ecs:TagResource + - ecs:CreateService + - ecs:DeleteService + - ecs:UpdateService + - ecs:DescribeServices + - ecs:ListServices + - ecs:ListTagsForResource + - ecs:DeregisterTaskDefinition + - ecs:DescribeTaskDefinition + - ecs:RegisterTaskDefinition + - ecs:ListTaskDefinitions - logs:ListTagsForResource - - rds:AddTagsToResource - rds:CreateDBSubnetGroup - rds:DeleteDBSubnetGroup - rds:DescribeDBSubnetGroups - rds:ListTagsForResource + - rds:AddTagsToResource - ec2:AllocateAddress - ec2:AssociateRouteTable - ec2:AttachInternetGateway @@ -176,9 +185,26 @@ Resources: - Effect: Allow Resource: "*" Action: + - application-autoscaling:* + - ec2:DescribeAddressesAttribute + - ec2:DeleteNetworkAclEntry - ecs:DeleteCapacityProvider + - ecs:DescribeCapacityProviders - ecs:DeleteCluster + - ecs:DescribeClusters + - ecs:UntagResource + - ecs:DeleteService + - ecs:UpdateService + - ecs:DescribeServices + - ecs:ListServices + - ecs:ListTagsForResource + - ecs:DeregisterTaskDefinition + - ecs:DescribeTaskDefinition + - ecs:ListTaskDefinitions - logs:ListTagsForResource + - rds:DeleteDBSubnetGroup + - rds:DescribeDBSubnetGroups + - rds:ListTagsForResource - ec2:DeleteInternetGateway - ec2:DeleteLaunchTemplate - ec2:DeleteLaunchTemplateVersions diff --git a/aws-ecs/artifacts/deprovision.json b/aws-ecs/artifacts/deprovision.json index 87b4240..d7bb6de 100644 --- a/aws-ecs/artifacts/deprovision.json +++ b/aws-ecs/artifacts/deprovision.json @@ -7,21 +7,21 @@ "Resource": "*", "Action": [ "application-autoscaling:*", - "ec2:DeleteNetworkAclEntry", "ec2:DescribeAddressesAttribute", + "ec2:DeleteNetworkAclEntry", "ecs:DeleteCapacityProvider", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", "ecs:DescribeCapacityProviders", + "ecs:DeleteCluster", "ecs:DescribeClusters", + "ecs:UntagResource", + "ecs:DeleteService", + "ecs:UpdateService", "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", "ecs:ListServices", "ecs:ListTagsForResource", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", - "ecs:UntagResource", - "ecs:UpdateService", "logs:ListTagsForResource", "rds:DeleteDBSubnetGroup", "rds:DescribeDBSubnetGroups", diff --git a/aws-ecs/artifacts/provision.json b/aws-ecs/artifacts/provision.json index f80bd07..73fd7a9 100644 --- a/aws-ecs/artifacts/provision.json +++ b/aws-ecs/artifacts/provision.json @@ -7,31 +7,31 @@ "Resource": "*", "Action": [ "application-autoscaling:*", + "ec2:DescribeAddressesAttribute", "ec2:CreateNetworkAclEntry", "ec2:DeleteNetworkAclEntry", - "ec2:DescribeAddressesAttribute", "ecs:CreateCapacityProvider", + "ecs:DescribeCapacityProviders", "ecs:CreateCluster", + "ecs:PutClusterCapacityProviders", + "ecs:DescribeClusters", + "ecs:TagResource", "ecs:CreateService", "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeCapacityProviders", - "ecs:DescribeClusters", + "ecs:UpdateService", "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", "ecs:ListServices", "ecs:ListTagsForResource", - "ecs:ListTaskDefinitions", - "ecs:PutClusterCapacityProviders", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeTaskDefinition", "ecs:RegisterTaskDefinition", - "ecs:TagResource", - "ecs:UpdateService", + "ecs:ListTaskDefinitions", "logs:ListTagsForResource", - "rds:AddTagsToResource", "rds:CreateDBSubnetGroup", "rds:DeleteDBSubnetGroup", "rds:DescribeDBSubnetGroups", "rds:ListTagsForResource", + "rds:AddTagsToResource", "ec2:AllocateAddress", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", diff --git a/aws-eks-byovpc/artifacts/deprovision.json b/aws-eks-byovpc/artifacts/deprovision.json index 0eca517..73caab3 100644 --- a/aws-eks-byovpc/artifacts/deprovision.json +++ b/aws-eks-byovpc/artifacts/deprovision.json @@ -2,23 +2,32 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "", "Effect": "Allow", + "Resource": "*", "Action": [ + "eks:DeleteAddon", + "eks:DeleteCluster", + "eks:DeleteNodegroup", + "eks:DescribeCluster", + "eks:DescribeNodegroup", "ec2:DeleteInternetGateway", - "ec2:DeleteVpc", + "ec2:DeleteLaunchTemplate", + "ec2:DeleteLaunchTemplateVersions", "ec2:DeleteNatGateway", + "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTags", + "ec2:DeleteVpc", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", - "ec2:DeleteNetworkInterface", - "ec2:DetachNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", @@ -30,20 +39,14 @@ "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", + "ec2:DetachNetworkInterface", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupIngress", "ecr:DeleteRepository", "ecr:DescribeRepositories", "ecr:ListTagsForResource", - "eks:DeleteCluster", - "eks:DeleteNodegroup", - "eks:DescribeCluster", - "eks:DescribeNodegroup", - "eks:DeleteAddon", "iam:DeleteOpenIDConnectProvider", "iam:DeletePolicy", "iam:DeletePolicyVersion", @@ -65,23 +68,20 @@ "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListResourceTags", + "kms:RetireGrant", "kms:ScheduleKeyDeletion", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", + "route53:ChangeTagsForResource", "route53:DeleteHostedZone", "route53:GetDNSSEC", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListTagsForResource", - "route53:ChangeTagsForResource", "s3:GetObject", - "s3:ListBucket", - "kms:RetireGrant", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*" + "s3:ListBucket" + ] } ] -} - +} \ No newline at end of file diff --git a/aws-eks-byovpc/artifacts/provision.json b/aws-eks-byovpc/artifacts/provision.json index 8b7c08f..8aaf542 100644 --- a/aws-eks-byovpc/artifacts/provision.json +++ b/aws-eks-byovpc/artifacts/provision.json @@ -1,113 +1,112 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateLaunchTemplate", - "ec2:DescribeAddresses", - "ec2:DescribeInternetGateways", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcs", - "ec2:DescribeAvailabilityZones", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ModifyLaunchTemplate", - "ec2:RevokeSecurityGroupEgress", - "ec2:RunInstances", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:ListTagsForResource", - "ecr:TagResource", - "eks:CreateCluster", - "eks:DescribeUpdate", - "eks:UpdateNodegroupVersion", - "eks:CreateNodegroup", - "eks:DescribeCluster", - "eks:TagResource", - "eks:ListTagsForResource", - "eks:DescribeNodegroup", - "eks:ListAddons", - "eks:CreateAddon", - "eks:DescribeAddon", - "eks:DescribeAddonConfiguration", - "eks:DescribeAddonVersions", - "iam:AttachRolePolicy", - "iam:CreateOpenIDConnectProvider", - "iam:UpdateAssumeRolePolicy", - "iam:TagOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:TagPolicy", - "iam:TagRole", - "kms:CreateAlias", - "kms:CreateGrant", - "kms:CreateKey", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:TagResource", - "logs:CreateLogGroup", - "logs:TagLogGroup", - "logs:ListTagsForResource", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "logs:PutRetentionPolicy", - "logs:TagResource", - "route53:ChangeTagsForResource", - "route53:CreateHostedZone", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "route53:ChangeResourceRecordSets", - "s3:GetObject", - "s3:ListBucket", - "s3:PutObject" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Resource": "*", + "Action": [ + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonConfiguration", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "eks:DescribeUpdate", + "eks:ListAddons", + "eks:ListTagsForResource", + "eks:TagResource", + "eks:UpdateNodegroupVersion", + "logs:ListTagsForResource", + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateNatGateway", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroupReferences", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:ModifyLaunchTemplate", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:ListTagsForResource", + "ecr:TagResource", + "iam:AttachRolePolicy", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:TagOpenIDConnectProvider", + "iam:TagPolicy", + "iam:TagRole", + "iam:UpdateAssumeRolePolicy", + "kms:CreateAlias", + "kms:CreateGrant", + "kms:CreateKey", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:TagResource", + "logs:CreateLogGroup", + "logs:DescribeLogGroups", + "logs:ListTagsLogGroup", + "logs:PutRetentionPolicy", + "logs:TagLogGroup", + "logs:TagResource", + "route53:ChangeResourceRecordSets", + "route53:ChangeTagsForResource", + "route53:CreateHostedZone", + "route53:GetChange", + "route53:GetHostedZone", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ] + } + ] +} \ No newline at end of file diff --git a/aws-eks-byovpc/artifacts/trust.json b/aws-eks-byovpc/artifacts/trust.json index 472dffb..0c71661 100644 --- a/aws-eks-byovpc/artifacts/trust.json +++ b/aws-eks-byovpc/artifacts/trust.json @@ -7,7 +7,9 @@ "Principal": { "AWS": "arn:aws:iam::676549690856:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] }, { "Sid": "", @@ -15,7 +17,9 @@ "Principal": { "AWS": "arn:aws:iam::007754799877:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] }, { "Sid": "", @@ -23,7 +27,9 @@ "Principal": { "AWS": "arn:aws:iam::814326426574:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] }, { "Sid": "", @@ -31,7 +37,9 @@ "Principal": { "AWS": "arn:aws:iam::766121324316:root" }, - "Action": "sts:AssumeRole" + "Action": [ + "sts:AssumeRole" + ] } ] -} +} \ No newline at end of file diff --git a/aws-eks/artifacts/deprovision.json b/aws-eks/artifacts/deprovision.json index 8708c76..88be950 100644 --- a/aws-eks/artifacts/deprovision.json +++ b/aws-eks/artifacts/deprovision.json @@ -9,14 +9,11 @@ "ec2:DeleteNetworkAclEntry", "ecr:UntagResource", "eks:ListAccessEntries", - "eks:DeleteAccessEntry", "eks:DescribeAccessEntry", "eks:UpdateAccessEntry", - "eks:DisassociateAccessPolicy", "eks:DeleteAddon", "eks:DescribeAddon", "eks:ListAddons", - "eks:ListAssociatedAccessPolicies", "eks:DeleteCluster", "eks:DescribeCluster", "eks:DeleteNodegroup", diff --git a/pkg/sandboxes/aws-ecs-byovpc/iam.go b/pkg/sandboxes/aws-ecs-byovpc/iam.go index 4ef185d..668842a 100644 --- a/pkg/sandboxes/aws-ecs-byovpc/iam.go +++ b/pkg/sandboxes/aws-ecs-byovpc/iam.go @@ -4,13 +4,15 @@ import perms "github.com/nuonco/sandboxes/pkg/sandboxes/permissions" // provision role permissions specific to this sandbox var ProvisionPermissions = append([]string{ + "application-autoscaling:*", "ecs:CreateCapacityProvider", - "ecs:CreateCluster", "ecs:DescribeCapacityProviders", - "ecs:DescribeClusters", - "ecs:ListTagsForResource", + "ecs:CreateCluster", "ecs:PutClusterCapacityProviders", + "ecs:DescribeClusters", "ecs:TagResource", + "ecs:ListTagsForResource", + "ecs:RegisterTaskDefinition", }, perms.BaseProvisionPermissions...) // Full provision rol policy for this sandbox @@ -29,6 +31,7 @@ var ProvisionPolicy = perms.Policy{ var DeprovisionPermissions = append([]string{ "ecs:DeleteCapacityProvider", "ecs:DeleteCluster", + "logs:ListTagsForResource", }, perms.BaseDeprovisionPermissions...) // Full deprovision role policy for this sandbox diff --git a/pkg/sandboxes/aws-eks/iam.go b/pkg/sandboxes/aws-eks/iam.go index 2e6a2ac..b9f670d 100644 --- a/pkg/sandboxes/aws-eks/iam.go +++ b/pkg/sandboxes/aws-eks/iam.go @@ -53,14 +53,11 @@ var DeprovisionPermissions = append([]string{ "ec2:DeleteNetworkAclEntry", "ecr:UntagResource", "eks:ListAccessEntries", - "eks:DeleteAccessEntry", "eks:DescribeAccessEntry", "eks:UpdateAccessEntry", - "eks:DisassociateAccessPolicy", "eks:DeleteAddon", "eks:DescribeAddon", "eks:ListAddons", - "eks:ListAssociatedAccessPolicies", "eks:DeleteCluster", "eks:DescribeCluster", "eks:DeleteNodegroup", diff --git a/pkg/sandboxes/permissions/trust.go b/pkg/sandboxes/permissions/trust.go index 2d36eaa..39f731e 100644 --- a/pkg/sandboxes/permissions/trust.go +++ b/pkg/sandboxes/permissions/trust.go @@ -5,7 +5,7 @@ type Principal struct { } type Statement struct { - Sid string `json:"Sid,omitempty" yaml:"Sid,omitempty"` + Sid string `json:"Sid" yaml:"Sid,omitempty"` Effect string `json:"Effect" yaml:"Effect"` Principal *Principal `json:"Principal,omitempty" yaml:"Principal,omitempty"` Resource string `json:"Resource,omitempty" yaml:"Resource,omitempty"`