diff --git a/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go b/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go index 1450668190..3027a1e990 100644 --- a/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go +++ b/pkg/model/components/addonmanifests/awscloudcontrollermanager/iam.go @@ -18,6 +18,7 @@ package awscloudcontrollermanager import ( "k8s.io/apimachinery/pkg/types" + "k8s.io/kops/pkg/model/iam" ) @@ -32,7 +33,9 @@ func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, erro clusterName := b.Cluster.ObjectMeta.Name p := iam.NewPolicy(clusterName) iam.AddCCMPermissions(p, b.Partition, b.Cluster.Spec.Networking.Kubenet != nil) - iam.AddLegacyCCMPermissions(p) + if b.Cluster.IsKubernetesLT("1.23") { + iam.AddLegacyCCMPermissions(p) + } return p, nil } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 71c88ce0ef..e52e9d5746 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -407,7 +407,10 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { if b.Cluster.Spec.ExternalCloudControllerManager != nil { AddCCMPermissions(p, b.Partition, b.Cluster.Spec.Networking.Kubenet != nil) - AddLegacyCCMPermissions(p) + + if b.Cluster.IsKubernetesLT("1.23") { + AddLegacyCCMPermissions(p) + } } if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) { @@ -855,10 +858,25 @@ func AddLegacyCCMPermissions(p *Policy) { "elasticloadbalancing:AddTags", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:CreateListener", + "ec2:DescribeVolumes", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", ) } func AddCCMPermissions(p *Policy, partition string, cloudRoutes bool) { + // legacy permissions we want to get rid of + + p.unconditionalAction.Insert( + "ec2:CreateTags", + ) + p.unconditionalAction.Insert( "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeTags", @@ -867,7 +885,6 @@ func AddCCMPermissions(p *Policy, partition string, cloudRoutes bool) { "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", - "ec2:DescribeVolumes", "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", @@ -880,15 +897,9 @@ func AddCCMPermissions(p *Policy, partition string, cloudRoutes bool) { p.clusterTaggedAction.Insert( "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress", - "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", @@ -913,34 +924,20 @@ func AddCCMPermissions(p *Policy, partition string, cloudRoutes bool) { p.clusterTaggedCreateAction.Insert( "elasticloadbalancing:CreateLoadBalancer", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", ) - p.Statement = append(p.Statement, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:CreateTags", - ), - Resource: stringorslice.Slice( - []string{ - fmt.Sprintf("arn:%v:ec2:*:*:volume/*", partition), - fmt.Sprintf("arn:%v:ec2:*:*:snapshot/*", partition), - }, - ), - Condition: Condition{ - "StringEquals": map[string]interface{}{ - "ec2:CreateAction": []string{ - "CreateVolume", - "CreateSnapshot", - }, - }, - }, + p.AddEC2CreateAction( + []string{ + "CreateSecurityGroup", }, + []string{ + "securitygroups", + }, + partition, ) + if cloudRoutes { p.clusterTaggedAction.Insert( "ec2:CreateRoute", diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 1edfe4ec2a..6792dc2fce 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -36,16 +36,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -90,8 +107,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -104,6 +126,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index f082d764b0..524ab02ab8 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -36,16 +36,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -90,8 +107,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -104,6 +126,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index bb353fcd5a..955ccc81eb 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1316,16 +1316,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1370,8 +1387,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1384,6 +1406,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1408,7 +1433,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/apiservernodes/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index e7a32649b0..a7cf7944ad 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -115,8 +132,13 @@ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", @@ -125,6 +147,9 @@ "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -145,14 +170,9 @@ }, { "Action": [ - "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -186,7 +206,6 @@ { "Action": [ "ec2:CreateSecurityGroup", - "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index 15314fe1aa..207bb533b5 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "bastionuserdata.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 0b822594d0..fb5a9bc592 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1678,16 +1678,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "complex.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1732,8 +1749,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1746,6 +1768,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1770,7 +1795,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 5df24184ed..4cecf3de2b 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "complex.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index e2e3b1ec2b..17dc127bac 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "compress.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "compress.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 5dccb308a4..c560651a30 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -1050,16 +1050,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "containerd.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1104,8 +1121,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1118,6 +1140,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1142,7 +1167,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 5dccb308a4..c560651a30 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -1050,16 +1050,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "containerd.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1104,8 +1121,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1118,6 +1140,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1142,7 +1167,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/digit/data/aws_iam_role_policy_masters.123.example.com_policy b/tests/integration/update_cluster/digit/data/aws_iam_role_policy_masters.123.example.com_policy index d80cb72cb4..b1b38d77cd 100644 --- a/tests/integration/update_cluster/digit/data/aws_iam_role_policy_masters.123.example.com_policy +++ b/tests/integration/update_cluster/digit/data/aws_iam_role_policy_masters.123.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "123.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "123.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 93de827172..7591471097 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -1050,16 +1050,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "docker.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "docker.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1104,8 +1121,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1118,6 +1140,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1142,7 +1167,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index 785c95f4b7..1d073d1431 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "existingsg.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "existingsg.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/external_dns/cloudformation.json b/tests/integration/update_cluster/external_dns/cloudformation.json index 36c5cf8508..cd5d993184 100644 --- a/tests/integration/update_cluster/external_dns/cloudformation.json +++ b/tests/integration/update_cluster/external_dns/cloudformation.json @@ -1050,16 +1050,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1104,8 +1121,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1118,6 +1140,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1142,7 +1167,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/external_dns/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/external_dns/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/external_dns/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/external_dns/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/external_dns_irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/external_dns_irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index e7a32649b0..a7cf7944ad 100644 --- a/tests/integration/update_cluster/external_dns_irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/external_dns_irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -115,8 +132,13 @@ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", @@ -125,6 +147,9 @@ "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -145,14 +170,9 @@ }, { "Action": [ - "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -186,7 +206,6 @@ { "Action": [ "ec2:CreateSecurityGroup", - "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index 721fb8b6e9..e17bf5e212 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1066,16 +1066,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externallb.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1120,8 +1137,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1134,6 +1156,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1158,7 +1183,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index b89f0e215c..e902f58037 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externallb.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index 30107afb00..df64a06712 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externalpolicies.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "externalpolicies.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 71efa68443..4e8fe39bec 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "ha.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "ha.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_masters.minimal.example.com_policy index e7a32649b0..a7cf7944ad 100644 --- a/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/karpenter/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -115,8 +132,13 @@ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", @@ -125,6 +147,9 @@ "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -145,14 +170,9 @@ }, { "Action": [ - "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -186,7 +206,6 @@ { "Action": [ "ec2:CreateSecurityGroup", - "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy index 6049c7ff9b..a2dccd0674 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy @@ -1,5 +1,15 @@ { "Statement": [ + { + "Action": "ec2:CreateSecurityGroup", + "Condition": { + "StringEquals": { + "ec2:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, { "Action": "ec2:CreateTags", "Condition": { @@ -16,6 +26,18 @@ "arn:aws-test:ec2:*:*:snapshot/*" ] }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateSecurityGroup" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -86,7 +108,6 @@ }, { "Action": [ - "ec2:CreateSecurityGroup", "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/in-v1alpha2.yaml b/tests/integration/update_cluster/many-addons-ccm-irsa/in-v1alpha2.yaml index 59893657ea..988d1962ec 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/in-v1alpha2.yaml @@ -33,7 +33,7 @@ spec: useServiceAccountExternalPermissions: true kubelet: anonymousAuth: false - kubernetesVersion: v1.21.0 + kubernetesVersion: v1.23.0 masterInternalName: api.internal.minimal.example.com masterPublicName: api.minimal.example.com networkCIDR: 172.20.0.0/16 diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy index 31c9a85be3..3bcde64f0a 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -134,16 +134,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -165,11 +182,16 @@ "autoscaling:DescribeTags", "ec2:AssignPrivateIpAddresses", "ec2:AttachNetworkInterface", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteNetworkInterface", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", @@ -186,7 +208,10 @@ "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "ec2:UnassignPrivateIpAddresses", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", @@ -217,7 +242,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteVolume", diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index 074dac41bc..caa8972016 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -165,11 +182,16 @@ "autoscaling:DescribeTags", "ec2:AssignPrivateIpAddresses", "ec2:AttachNetworkInterface", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteNetworkInterface", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", @@ -186,7 +208,10 @@ "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "ec2:UnassignPrivateIpAddresses", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", @@ -217,7 +242,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteVolume", diff --git a/tests/integration/update_cluster/minimal-1.23/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.23/data/aws_iam_role_policy_masters.minimal.example.com_policy index 6f235eaa46..9d5845617f 100644 --- a/tests/integration/update_cluster/minimal-1.23/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-1.23/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", @@ -197,7 +222,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-1.24/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-1.24/data/aws_iam_role_policy_masters.minimal.example.com_policy index cb05a4c09c..d67123e3fe 100644 --- a/tests/integration/update_cluster/minimal-1.24/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-1.24/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -134,16 +134,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,7 +169,6 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", - "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", @@ -173,16 +189,12 @@ "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:ListImages", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:RegisterTargets", "iam:GetServerCertificate", "iam:ListServerCertificates", "kms:DescribeKey", @@ -197,7 +209,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index 7b08ac3c73..679cef8ffb 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -1050,16 +1050,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-etcd.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1104,8 +1121,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1118,6 +1140,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1142,7 +1167,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index 190ea3c018..03414e40a7 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -1046,16 +1046,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1100,8 +1117,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1114,6 +1136,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1138,7 +1163,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json index c73920b1c0..01f48d30b5 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json @@ -1387,16 +1387,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1406,8 +1423,13 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1421,7 +1443,10 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1446,7 +1471,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 15f194786d..9a1367995c 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -134,16 +134,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -153,8 +170,13 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -168,7 +190,10 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -193,7 +218,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json index 4c992dfc6e..1f35c733ee 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/cloudformation.json @@ -1373,16 +1373,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1392,8 +1409,13 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1407,6 +1429,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1431,7 +1456,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 09bd557835..8d3c927a0e 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -134,16 +134,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -153,8 +170,13 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -168,6 +190,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -192,7 +217,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 09bd557835..738437f335 100644 --- a/tests/integration/update_cluster/minimal-ipv6-private/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6-private/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -134,16 +134,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -153,7 +170,6 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", - "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", @@ -168,16 +184,12 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:RegisterTargets", "iam:GetServerCertificate", "iam:ListServerCertificates", "kms:DescribeKey", @@ -192,7 +204,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 4c992dfc6e..1f35c733ee 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1373,16 +1373,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1392,8 +1409,13 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1407,6 +1429,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1431,7 +1456,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 09bd557835..8d3c927a0e 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -134,16 +134,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -153,8 +170,13 @@ "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:AssignIpv6Addresses", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -168,6 +190,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -192,7 +217,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index 7f3f4fb19b..4fd58ff42e 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index 36c5cf8508..cd5d993184 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -1050,16 +1050,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1104,8 +1121,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1118,6 +1140,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1142,7 +1167,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index dd7c05a8c2..03c9f0194c 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -68,16 +68,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.k8s.local", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -122,8 +139,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -136,6 +158,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -160,7 +185,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/minimal_gossip_irsa/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip_irsa/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index edda6ba294..8e3db425be 100644 --- a/tests/integration/update_cluster/minimal_gossip_irsa/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip_irsa/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -68,16 +68,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.k8s.local", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -85,8 +102,13 @@ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", @@ -95,6 +117,9 @@ "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -115,14 +140,9 @@ }, { "Action": [ - "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -156,7 +176,6 @@ { "Action": [ "ec2:CreateSecurityGroup", - "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 730491b7e2..59153d6a61 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1769,16 +1769,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1823,8 +1840,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1837,6 +1859,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1861,7 +1886,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index e1c8078db1..4e1e94bd91 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index d507c31966..2615bbbeed 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1770,16 +1770,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1824,8 +1841,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1838,6 +1860,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1862,7 +1887,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index e1c8078db1..4e1e94bd91 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index fd658c03f1..6b45ae17bd 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1188,16 +1188,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "nthsqsresources.longclustername.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.longclustername.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1242,8 +1259,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1256,6 +1278,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1283,7 +1308,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.longclustername.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.longclustername.example.com_policy index beb9a6c690..8825f3c2e6 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.longclustername.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.longclustername.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "nthsqsresources.longclustername.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.longclustername.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -193,7 +218,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/nvidia/cloudformation.json b/tests/integration/update_cluster/nvidia/cloudformation.json index 3635898a22..121a6a9058 100644 --- a/tests/integration/update_cluster/nvidia/cloudformation.json +++ b/tests/integration/update_cluster/nvidia/cloudformation.json @@ -1063,16 +1063,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1117,8 +1134,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1131,6 +1153,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1155,7 +1180,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/nvidia/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/nvidia/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/nvidia/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/nvidia/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index b5172b1b91..607e9c3d52 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1570,16 +1570,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1624,8 +1641,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1638,6 +1660,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1662,7 +1687,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 844e1b4956..067b795f74 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index d7a503b1f3..58078e9ed4 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-subnet.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 8a55297c72..c03f63c5c3 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1726,16 +1726,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecalico.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1780,8 +1797,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1794,7 +1816,10 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1819,7 +1844,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index 37293c14de..99f483440d 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecalico.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,7 +188,10 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -191,7 +216,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index 50f67c8ac6..7e1924e0c8 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecanal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index c8d7dd44ed..6f495cfaa0 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1712,16 +1712,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1766,8 +1783,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1780,6 +1802,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1804,7 +1829,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index c225de8163..327347684b 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index c8d7dd44ed..6f495cfaa0 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1712,16 +1712,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1766,8 +1783,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1780,6 +1802,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -1804,7 +1829,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index c225de8163..327347684b 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index e18929a92d..99bbb58b77 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1755,16 +1755,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -1811,10 +1828,15 @@ "autoscaling:DescribeTags", "ec2:AssignPrivateIpAddresses", "ec2:AttachNetworkInterface", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteNetworkInterface", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -1830,7 +1852,10 @@ "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "ec2:UnassignPrivateIpAddresses", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", @@ -1856,7 +1881,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index 13ffe68a4b..247b8e3e8a 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -108,16 +108,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -164,10 +181,15 @@ "autoscaling:DescribeTags", "ec2:AssignPrivateIpAddresses", "ec2:AttachNetworkInterface", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteNetworkInterface", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -183,7 +205,10 @@ "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ModifyVolume", "ec2:UnassignPrivateIpAddresses", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", @@ -209,7 +234,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index d323fd7a31..ab4657111e 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatedns1.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatedns1.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index f0ac7c132b..57b4426808 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatedns2.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatedns2.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 50cfe6e6f8..5474cae1eb 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateflannel.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateflannel.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 5751df46b7..abf6fba6cc 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatekopeio.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatekopeio.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 148653c14d..cb45289af7 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateweave.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateweave.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index e7a32649b0..a7cf7944ad 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -115,8 +132,13 @@ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", @@ -125,6 +147,9 @@ "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -145,14 +170,9 @@ }, { "Action": [ - "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -186,7 +206,6 @@ { "Action": [ "ec2:CreateSecurityGroup", - "ec2:CreateVolume", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 411d95b7b8..8dcac9c3aa 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "sharedsubnet.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 618f51f6dc..f67339997b 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "sharedvpc.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "sharedvpc.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index a562ea94ab..527f11b7b5 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "unmanaged.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "unmanaged.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index cdf37d463c..df51d25b6c 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -98,16 +98,33 @@ "Action": "ec2:CreateTags", "Condition": { "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com", "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" + "CreateSecurityGroup" ] } }, "Effect": "Allow", "Resource": [ - "arn:aws-test:ec2:*:*:volume/*", - "arn:aws-test:ec2:*:*:snapshot/*" + "arn:aws-test:ec2:*:*:securitygroups/*" + ] + }, + { + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Condition": { + "Null": { + "aws:RequestTag/KubernetesCluster": "true" + }, + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws-test:ec2:*:*:securitygroups/*" ] }, { @@ -152,8 +169,13 @@ "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", @@ -166,6 +188,9 @@ "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", @@ -190,7 +215,6 @@ "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume",