From b3f274e1408d285956bd35ede1db61034b8761a6 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Sat, 19 Jun 2021 08:32:32 +0200 Subject: [PATCH 1/3] Apply permissions to master role when irsa is not used --- pkg/model/iam/iam_builder.go | 10 +-- .../iam/tests/iam_builder_master_strict.json | 83 +++++++++++++++++++ .../tests/iam_builder_master_strict_ecr.json | 83 +++++++++++++++++++ .../apiservernodes/cloudformation.json | 58 ++++++------- ..._policy_masters.minimal.example.com_policy | 83 ------------------- ...masters.bastionuserdata.example.com_policy | 58 ++++++------- .../complex/cloudformation.json | 58 ++++++------- ..._policy_masters.complex.example.com_policy | 58 ++++++------- ...policy_masters.compress.example.com_policy | 58 ++++++------- .../containerd-custom/cloudformation.json | 58 ++++++------- .../containerd/cloudformation.json | 58 ++++++------- .../docker-custom/cloudformation.json | 58 ++++++------- ...licy_masters.existingsg.example.com_policy | 58 ++++++------- .../externallb/cloudformation.json | 58 ++++++------- ...licy_masters.externallb.example.com_policy | 58 ++++++------- ...asters.externalpolicies.example.com_policy | 58 ++++++------- ..._role_policy_masters.ha.example.com_policy | 58 ++++++------- ..._policy_masters.minimal.example.com_policy | 58 ++++++------- .../minimal-etcd/cloudformation.json | 58 ++++++------- .../minimal-gp3/cloudformation.json | 58 ++++++------- ..._policy_masters.minimal.example.com_policy | 58 ++++++------- .../minimal-ipv6/cloudformation.json | 58 ++++++------- ...cy_masters.minimal-ipv6.example.com_policy | 58 ++++++------- ...cy_masters.minimal-json.example.com_policy | 58 ++++++------- .../minimal/cloudformation.json | 58 ++++++------- ..._policy_masters.minimal.example.com_policy | 58 ++++++------- .../mixed_instances/cloudformation.json | 58 ++++++------- ..._masters.mixedinstances.example.com_policy | 58 ++++++------- .../mixed_instances_spot/cloudformation.json | 58 ++++++------- ..._masters.mixedinstances.example.com_policy | 58 ++++++------- .../nth_sqs_resources/cloudformation.json | 58 ++++++------- ...masters.nthsqsresources.example.com_policy | 58 ++++++------- .../private-shared-ip/cloudformation.json | 58 ++++++------- ...sters.private-shared-ip.example.com_policy | 58 ++++++------- ...s.private-shared-subnet.example.com_policy | 58 ++++++------- .../privatecalico/cloudformation.json | 58 ++++++------- ...y_masters.privatecalico.example.com_policy | 58 ++++++------- ...cy_masters.privatecanal.example.com_policy | 58 ++++++------- .../privatecilium/cloudformation.json | 58 ++++++------- ...y_masters.privatecilium.example.com_policy | 58 ++++++------- .../privatecilium2/cloudformation.json | 58 ++++++------- ...y_masters.privatecilium.example.com_policy | 58 ++++++------- .../privateciliumadvanced/cloudformation.json | 58 ++++++------- ...s.privateciliumadvanced.example.com_policy | 58 ++++++------- ...icy_masters.privatedns1.example.com_policy | 58 ++++++------- ...icy_masters.privatedns2.example.com_policy | 58 ++++++------- ..._masters.privateflannel.example.com_policy | 58 ++++++------- ...y_masters.privatekopeio.example.com_policy | 58 ++++++------- ...cy_masters.privateweave.example.com_policy | 58 ++++++------- ..._policy_masters.minimal.example.com_policy | 83 ------------------- ...cy_masters.sharedsubnet.example.com_policy | 58 ++++++------- ...olicy_masters.sharedvpc.example.com_policy | 58 ++++++------- ...olicy_masters.unmanaged.example.com_policy | 58 ++++++------- ..._policy_masters.minimal.example.com_policy | 58 ++++++------- .../awscloudcontroller/manifest.yaml | 2 +- 55 files changed, 1592 insertions(+), 1594 deletions(-) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 996f3bac78..05be4dae85 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -306,16 +306,14 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys)) } - if !fi.BoolValue(b.Cluster.Spec.CloudConfig.AWSEBSCSIDriver.Enabled) { - esc := b.Cluster.Spec.SnapshotController != nil && - fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) - AddAWSEBSCSIDriverPermissions(p, clusterName, esc) - } - // Protokube needs dns-controller permissions in instance role even if UseServiceAccountIAM. AddDNSControllerPermissions(b, p) if !b.UseServiceAccountIAM { + esc := b.Cluster.Spec.SnapshotController != nil && + fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) + AddAWSEBSCSIDriverPermissions(p, clusterName, esc) + if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) { AddAWSLoadbalancerControllerPermissions(p, resource, b.Cluster.GetName()) } diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 4f87b7cec1..05f171f497 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -215,6 +215,89 @@ "key-id-3" ] }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + "ec2:DescribeTags" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:CreateVolume" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:ModifyVolume", + "ec2:ModifyInstanceAttribute", + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": "ec2:DeleteTags", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index 39452aa92e..70d3d4fbc7 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -215,6 +215,89 @@ "key-id-3" ] }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + "ec2:DescribeTags" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:CreateVolume" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:ModifyVolume", + "ec2:ModifyInstanceAttribute", + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": "ec2:DeleteTags", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 3904ccbdcd..0a58994c4e 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1444,6 +1444,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1527,35 +1556,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index 5c11777228..c2fdaa0ef4 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -180,89 +180,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": "ec2:DeleteTags", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "route53:ChangeResourceRecordSets", diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index 07c3e57df3..68b611ccfb 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 2c1ea53edd..cd0b158c92 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1743,6 +1743,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1826,35 +1855,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 6a8fdef3a3..68dff413ec 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index ca740414bf..c07a6f1f45 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 63fadae077..2cc0e4646b 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -1126,6 +1126,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1209,35 +1238,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 63fadae077..2cc0e4646b 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -1126,6 +1126,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1209,35 +1238,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 8b19628278..8bbf571c05 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -1126,6 +1126,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1209,35 +1238,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index be1eaf6948..33ab4129b2 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index 2f6a77628b..e3341d4a9f 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1142,6 +1142,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1225,35 +1254,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index fc6a2a8640..3812aee5a6 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index abbbd86f56..ed6fbb028e 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 403068b0ed..ed8144cf88 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index eb614d49e6..711538fc42 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index f6894825d1..cc96263487 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -1126,6 +1126,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1209,35 +1238,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index c734a7c22f..ee8c3c6a4c 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -1122,6 +1122,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1205,35 +1234,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index eb614d49e6..711538fc42 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 9e0606df15..dfb86f146d 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1303,6 +1303,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1386,35 +1415,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 9eda27de24..67b8aecb5d 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index d93e2789c7..ef2af1d281 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index 63334c6d6a..eb8e9472b1 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -1126,6 +1126,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1209,35 +1238,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index eb614d49e6..711538fc42 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index eb12a58df7..ca2b1a4524 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1839,6 +1839,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1922,35 +1951,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 70c5f048b1..e905b07cdb 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 0df357bbaa..eff3016e95 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1840,6 +1840,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1923,35 +1952,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 70c5f048b1..e905b07cdb 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index b024c99059..5bf089d91f 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1236,6 +1236,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1319,35 +1348,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 41490319ce..16e508bcbd 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index af7b434c0a..00db6db9da 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1643,6 +1643,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1726,35 +1755,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index c4f5688013..403d72cc4f 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index ddd47b9a60..85d5b9ba32 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index ff0d2aac4c..3fff21f96a 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1799,6 +1799,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1882,35 +1911,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index a1c000bbd3..15604b5e72 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index 21502ca0c6..ab146ecb23 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 236e54eed6..bf391a28a7 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1785,6 +1785,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1868,35 +1897,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 1a3bea66c2..0c457d0f94 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 236e54eed6..bf391a28a7 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1785,6 +1785,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1868,35 +1897,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 1a3bea66c2..0c457d0f94 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 1f77622d4e..56498dd555 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1818,6 +1818,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -1901,35 +1930,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index d4d347db09..7144b2b0c0 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 3c549decb8..2fa13e762b 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z2AFAKE1ZON3NO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z2AFAKE1ZON3NO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 1f45e3b2d1..90eb539783 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z3AFAKE1ZOMORE" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z3AFAKE1ZOMORE" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 7451ef9cac..005c9911ff 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 76a46349c8..4992f3150e 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 34c239c0e8..50e095db4d 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index 5c11777228..c2fdaa0ef4 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -180,89 +180,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "ec2:CreateTags", - "Condition": { - "StringEquals": { - "ec2:CreateAction": [ - "CreateVolume", - "CreateSnapshot" - ] - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": "ec2:DeleteTags", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "route53:ChangeResourceRecordSets", diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 36486c4ec5..f72aeb9480 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 12560d1987..484105b9ef 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index cc68105dd4..6d690bbc8a 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index eb614d49e6..711538fc42 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -180,6 +180,35 @@ "*" ] }, + { + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:GetHostedZone" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" + ] + }, + { + "Action": [ + "route53:GetChange" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:route53:::change/*" + ] + }, + { + "Action": [ + "route53:ListHostedZones" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, { "Action": [ "ec2:DescribeAccountAttributes", @@ -263,35 +292,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml index 25d90046d8..8945055688 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml @@ -63,7 +63,7 @@ spec: - id: k8s-1.17 kubernetesVersion: '>=1.17.0' manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml - manifestHash: 6a7573ef86563668e447d952098d8c79066a339d + manifestHash: 59c7723a8a9271558c6a87ccb0f0c61c2e36c6ed name: aws-ebs-csi-driver.addons.k8s.io selector: k8s-addon: aws-ebs-csi-driver.addons.k8s.io From 14fb35d0d001bddd929f46bf68f6f0a152d9c4d6 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Sat, 19 Jun 2021 08:33:04 +0200 Subject: [PATCH 2/3] Bump EBS Driver to 1.1.0 --- pkg/model/components/awsebscsidriver.go | 2 +- tests/e2e/scenarios/aws-ebs-csi/run-test.sh | 5 +-- .../k8s-1.17.yaml.template | 41 +++++++++++++++++-- 3 files changed, 41 insertions(+), 7 deletions(-) diff --git a/pkg/model/components/awsebscsidriver.go b/pkg/model/components/awsebscsidriver.go index ed3acf9210..9168c7a42f 100644 --- a/pkg/model/components/awsebscsidriver.go +++ b/pkg/model/components/awsebscsidriver.go @@ -48,7 +48,7 @@ func (b *AWSEBSCSIDriverOptionsBuilder) BuildOptions(o interface{}) error { } if c.Version == nil { - version := "v1.0.0" + version := "v1.1.0" c.Version = fi.String(version) } diff --git a/tests/e2e/scenarios/aws-ebs-csi/run-test.sh b/tests/e2e/scenarios/aws-ebs-csi/run-test.sh index 1f50f3bc7c..efb68e8e02 100755 --- a/tests/e2e/scenarios/aws-ebs-csi/run-test.sh +++ b/tests/e2e/scenarios/aws-ebs-csi/run-test.sh @@ -17,8 +17,6 @@ REPO_ROOT=$(git rev-parse --show-toplevel); source "${REPO_ROOT}"/tests/e2e/scenarios/lib/common.sh -REPORT_DIR="${ARTIFACTS:-$(pwd)/_artifacts}/aws-ebs-csi-driver/" - export KOPS_BASE_URL KOPS_BASE_URL="$(curl -s https://storage.googleapis.com/kops-ci/bin/latest-ci-updown-green.txt)" KOPS=$(kops-download-from-base) @@ -30,12 +28,13 @@ OVERRIDES="$OVERRIDES --override=cluster.spec.certManager.enabled=true" kops-up ZONE=$(${KOPS} get ig -o json | jq -r '[.[] | select(.spec.role=="Node") | .spec.subnets[0]][0]') +REPORT_DIR="${ARTIFACTS:-$(pwd)/_artifacts}/aws-ebs-csi-driver/" # shellcheck disable=SC2164 cd "$(mktemp -dt kops.XXXXXXXXX)" go get github.com/onsi/ginkgo/ginkgo -git clone --branch v1.0.0 https://github.com/kubernetes-sigs/aws-ebs-csi-driver.git . +git clone --branch v1.1.0 https://github.com/kubernetes-sigs/aws-ebs-csi-driver.git . # shellcheck disable=SC2164 cd tests/e2e-kubernetes/ diff --git a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template index 41eeea2275..f497290dff 100644 --- a/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template +++ b/upup/models/cloudup/resources/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml.template @@ -294,7 +294,7 @@ spec: - --volume-attach-limit={{ .VolumeAttachLimit }} {{- end }} - --logtostderr - - --v=5 + - --v=2 env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock @@ -379,7 +379,7 @@ metadata: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/version: {{ .Version }} spec: - replicas: 2 + replicas: {{ ControlPlaneControllerReplicas }} selector: matchLabels: app: ebs-csi-controller @@ -393,6 +393,26 @@ spec: app.kubernetes.io/instance: aws-ebs-csi-driver app.kubernetes.io/version: {{ .Version }} spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ebs-csi-controller + topologyKey: kubernetes.com/hostname + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ebs-csi-controller + topologyKey: topology.kubernetes.io/zone nodeSelector: kubernetes.io/os: linux {{ if not UseServiceAccountIAM }} @@ -523,4 +543,19 @@ metadata: spec: attachRequired: true podInfoOnMount: false -{{ end }} +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: ebs-csi-controller + labels: + app.kubernetes.io/name: aws-ebs-csi-driver + app.kubernetes.io/instance: aws-ebs-csi-driver + app.kubernetes.io/version: {{ .Version }} +spec: + selector: + matchLabels: + app: ebs-csi-controller + app.kubernetes.io/instance: aws-ebs-csi-driver + maxUnavailable: 1 +{{ end }} \ No newline at end of file From 79a2c111f2a2d137a433ebd1fa3362f9b9b7c704 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Sun, 20 Jun 2021 09:55:35 +0200 Subject: [PATCH 3/3] Remove redundant permissions --- pkg/model/iam/iam_builder.go | 65 +++---- .../iam/tests/iam_builder_master_strict.json | 66 ++----- .../tests/iam_builder_master_strict_ecr.json | 66 ++----- .../apiservernodes/cloudformation.json | 83 ++------- ....kube-system.sa.minimal.example.com_policy | 66 ++----- ..._policy_masters.minimal.example.com_policy | 66 ++----- ...masters.bastionuserdata.example.com_policy | 66 ++----- .../complex/cloudformation.json | 66 ++----- ..._policy_masters.complex.example.com_policy | 66 ++----- ...policy_masters.compress.example.com_policy | 66 ++----- .../containerd-custom/cloudformation.json | 66 ++----- .../containerd/cloudformation.json | 66 ++----- .../docker-custom/cloudformation.json | 66 ++----- ...licy_masters.existingsg.example.com_policy | 66 ++----- .../externallb/cloudformation.json | 66 ++----- ...licy_masters.externallb.example.com_policy | 66 ++----- ...asters.externalpolicies.example.com_policy | 66 ++----- ..._role_policy_masters.ha.example.com_policy | 66 ++----- ..._policy_masters.minimal.example.com_policy | 66 ++----- ..._policy_masters.minimal.example.com_policy | 172 +++++++++++++----- ...t-1a.masters.minimal.example.com_user_data | 2 +- ...mplate_nodes.minimal.example.com_user_data | 2 +- .../minimal-etcd/cloudformation.json | 66 ++----- .../minimal-gp3/cloudformation.json | 66 ++----- ..._policy_masters.minimal.example.com_policy | 66 ++----- .../minimal-ipv6/cloudformation.json | 66 ++----- ...cy_masters.minimal-ipv6.example.com_policy | 66 ++----- ...cy_masters.minimal-json.example.com_policy | 66 ++----- ...asters.minimal-warmpool.example.com_policy | 149 ++++++++++----- ...ers.minimal-warmpool.example.com_user_data | 2 +- ...des.minimal-warmpool.example.com_user_data | 4 +- .../minimal/cloudformation.json | 66 ++----- ..._policy_masters.minimal.example.com_policy | 66 ++----- ...le_policy_masters.minimal.k8s.local_policy | 66 ++----- .../mixed_instances/cloudformation.json | 66 ++----- ..._masters.mixedinstances.example.com_policy | 66 ++----- .../mixed_instances_spot/cloudformation.json | 66 ++----- ..._masters.mixedinstances.example.com_policy | 66 ++----- .../nth_sqs_resources/cloudformation.json | 66 ++----- ...masters.nthsqsresources.example.com_policy | 66 ++----- .../private-shared-ip/cloudformation.json | 66 ++----- ...sters.private-shared-ip.example.com_policy | 66 ++----- ...s.private-shared-subnet.example.com_policy | 66 ++----- .../privatecalico/cloudformation.json | 66 ++----- ...y_masters.privatecalico.example.com_policy | 66 ++----- ...cy_masters.privatecanal.example.com_policy | 66 ++----- .../privatecilium/cloudformation.json | 66 ++----- ...y_masters.privatecilium.example.com_policy | 66 ++----- .../privatecilium2/cloudformation.json | 66 ++----- ...y_masters.privatecilium.example.com_policy | 66 ++----- .../privateciliumadvanced/cloudformation.json | 66 ++----- ...s.privateciliumadvanced.example.com_policy | 66 ++----- ...icy_masters.privatedns1.example.com_policy | 66 ++----- ...icy_masters.privatedns2.example.com_policy | 66 ++----- ..._masters.privateflannel.example.com_policy | 66 ++----- ...y_masters.privatekopeio.example.com_policy | 66 ++----- ...cy_masters.privateweave.example.com_policy | 66 ++----- ..._policy_masters.minimal.example.com_policy | 66 ++----- ...cy_masters.sharedsubnet.example.com_policy | 66 ++----- ...olicy_masters.sharedvpc.example.com_policy | 66 ++----- ...olicy_masters.unmanaged.example.com_policy | 66 ++----- ..._policy_masters.minimal.example.com_policy | 66 ++----- 62 files changed, 1355 insertions(+), 2688 deletions(-) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 05be4dae85..076a5f0de1 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -1057,21 +1057,6 @@ func AddMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, clust }, }, }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:AttachVolume", // aws.go - "ec2:AuthorizeSecurityGroupIngress", // aws.go - "ec2:DeleteSecurityGroup", // aws.go - "ec2:RevokeSecurityGroupIngress", // aws.go - ), - Resource: resource, - Condition: Condition{ - "StringEquals": map[string]string{ - "ec2:ResourceTag/kubernetes.io/cluster/" + clusterName: "owned", - }, - }, - }, ) } @@ -1080,44 +1065,36 @@ func AddMasterELBPolicies(p *Policy, resource stringorslice.StringOrSlice) { p.Statement = append(p.Statement, &Statement{ Effect: StatementEffectAllow, Action: stringorslice.Of( - "elasticloadbalancing:AddTags", // aws_loadbalancer.go - "elasticloadbalancing:AttachLoadBalancerToSubnets", // aws_loadbalancer.go - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", // aws_loadbalancer.go + "ec2:DescribeVpcs", // aws_loadbalancer.go + "elasticloadbalancing:DescribeLoadBalancers", // aws.go + "elasticloadbalancing:DescribeLoadBalancerAttributes", // aws.go + "elasticloadbalancing:DescribeListeners", // aws_loadbalancer.go + "elasticloadbalancing:DescribeLoadBalancerPolicies", // aws_loadbalancer.go + "elasticloadbalancing:DescribeTargetGroups", // aws_loadbalancer.go + "elasticloadbalancing:DescribeTargetHealth", // aws_loadbalancer.go + "elasticloadbalancing:CreateListener", // aws_loadbalancer.go + "elasticloadbalancing:CreateTargetGroup", // aws_loadbalancer.go "elasticloadbalancing:CreateLoadBalancer", // aws_loadbalancer.go "elasticloadbalancing:CreateLoadBalancerPolicy", // aws_loadbalancer.go "elasticloadbalancing:CreateLoadBalancerListeners", // aws_loadbalancer.go - "elasticloadbalancing:ConfigureHealthCheck", // aws_loadbalancer.go "elasticloadbalancing:DeleteLoadBalancer", // aws.go "elasticloadbalancing:DeleteLoadBalancerListeners", // aws_loadbalancer.go - "elasticloadbalancing:DescribeLoadBalancers", // aws.go - "elasticloadbalancing:DescribeLoadBalancerAttributes", // aws.go + "elasticloadbalancing:DeleteListener", // aws_loadbalancer.go + "elasticloadbalancing:DeleteTargetGroup", // aws_loadbalancer.go + "elasticloadbalancing:AddTags", // aws_loadbalancer.go + "elasticloadbalancing:ModifyLoadBalancerAttributes", // aws_loadbalancer.go + "elasticloadbalancing:ModifyListener", // aws_loadbalancer.go + "elasticloadbalancing:ModifyTargetGroup", // aws_loadbalancer.go + "elasticloadbalancing:AttachLoadBalancerToSubnets", // aws_loadbalancer.go + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", // aws_loadbalancer.go + "elasticloadbalancing:ConfigureHealthCheck", // aws_loadbalancer.go "elasticloadbalancing:DetachLoadBalancerFromSubnets", // aws_loadbalancer.go "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", // aws_loadbalancer.go - "elasticloadbalancing:ModifyLoadBalancerAttributes", // aws_loadbalancer.go "elasticloadbalancing:RegisterInstancesWithLoadBalancer", // aws_loadbalancer.go "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", // aws_loadbalancer.go - ), - Resource: resource, - }) - - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:DescribeVpcs", // aws_loadbalancer.go - "elasticloadbalancing:AddTags", // aws_loadbalancer.go - "elasticloadbalancing:CreateListener", // aws_loadbalancer.go - "elasticloadbalancing:CreateTargetGroup", // aws_loadbalancer.go - "elasticloadbalancing:DeleteListener", // aws_loadbalancer.go - "elasticloadbalancing:DeleteTargetGroup", // aws_loadbalancer.go - "elasticloadbalancing:DeregisterTargets", // aws_loadbalancer.go - "elasticloadbalancing:DescribeListeners", // aws_loadbalancer.go - "elasticloadbalancing:DescribeLoadBalancerPolicies", // aws_loadbalancer.go - "elasticloadbalancing:DescribeTargetGroups", // aws_loadbalancer.go - "elasticloadbalancing:DescribeTargetHealth", // aws_loadbalancer.go - "elasticloadbalancing:ModifyListener", // aws_loadbalancer.go - "elasticloadbalancing:ModifyTargetGroup", // aws_loadbalancer.go - "elasticloadbalancing:RegisterTargets", // aws_loadbalancer.go - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", // aws_loadbalancer.go + "elasticloadbalancing:DeregisterTargets", // aws_loadbalancer.go + "elasticloadbalancing:RegisterTargets", // aws_loadbalancer.go + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", // aws_loadbalancer.go ), Resource: resource, }) diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 05f171f497..1cc65bb873 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/iam-builder-test.k8s.local": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index 70d3d4fbc7..0a3b0f94d6 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/iam-builder-test.k8s.local": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 0a58994c4e..f67e7849ec 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1207,23 +1207,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:DescribeAutoScalingInstances", "Effect": "Allow", @@ -1310,23 +1293,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1382,43 +1348,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy index 8e5227d3b4..3b73eca3ed 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -93,60 +93,34 @@ }, { "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index c2fdaa0ef4..50e1103044 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index 68b611ccfb..e5e3862b89 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/bastionuserdata.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index cd0b158c92..c6b3200635 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1609,23 +1609,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/complex.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1681,43 +1664,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 68dff413ec..8f2b8a8585 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/complex.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index c07a6f1f45..d7bfe6eac6 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/compress.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 2cc0e4646b..572e68273c 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -992,23 +992,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/containerd.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1064,43 +1047,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 2cc0e4646b..572e68273c 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -992,23 +992,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/containerd.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1064,43 +1047,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 8bbf571c05..c1e34927ec 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -992,23 +992,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/docker.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1064,43 +1047,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index 33ab4129b2..6e2e0966b4 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/existingsg.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index e3341d4a9f..aaf7d40d83 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1008,23 +1008,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/externallb.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1080,43 +1063,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 3812aee5a6..5221234f09 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/externallb.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index ed6fbb028e..af6689d677 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/externalpolicies.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index ed8144cf88..055cc01000 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/ha.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 711538fc42..51b73ecf76 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index b1a59e7cee..3077cf2aaf 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], @@ -209,6 +183,112 @@ "*" ] }, + { + "Action": [ + "ec2:CreateSnapshot", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSnapshots" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": "ec2:DeleteSnapshot", + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + "ec2:DescribeTags" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:CreateVolume" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:ModifyVolume", + "ec2:ModifyInstanceAttribute", + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": "ec2:DeleteTags", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ec2:DescribeAvailabilityZones", diff --git a/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 891aca081c..579ecc3f4e 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -123,7 +123,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.0.0 + version: v1.1.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data index d651e44ef5..3b99d06286 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons/data/aws_launch_template_nodes.minimal.example.com_user_data @@ -123,7 +123,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.0.0 + version: v1.1.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index cc96263487..fab2af45dd 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -992,23 +992,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal-etcd.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1064,43 +1047,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index ee8c3c6a4c..a09c9885e7 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -988,23 +988,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1060,43 +1043,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 711538fc42..51b73ecf76 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index dfb86f146d..88baf37611 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1169,23 +1169,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal-ipv6.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1241,43 +1224,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 67b8aecb5d..c988978327 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal-ipv6.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index ef2af1d281..15fe07a28b 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal-json.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index 82e011dda2..1da57a041a 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal-warmpool.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], @@ -209,6 +183,89 @@ "*" ] }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + "ec2:DescribeTags" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:CreateVolume" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:ModifyVolume", + "ec2:ModifyInstanceAttribute", + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": "ec2:DeleteTags", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ] + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "autoscaling:SetDesiredCapacity", diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data index e4d6ce0c3e..d118236053 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_master-us-test-1a.masters.minimal-warmpool.example.com_user_data @@ -123,7 +123,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.0.0 + version: v1.1.0 manageStorageClasses: true containerRuntime: containerd containerd: diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data index e1cd207ac4..9f0d606066 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data @@ -123,7 +123,7 @@ cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC' cloudConfig: awsEBSCSIDriver: enabled: true - version: v1.0.0 + version: v1.1.0 manageStorageClasses: true containerRuntime: containerd containerd: @@ -241,7 +241,7 @@ containerdConfig: | SystemdCgroup = true warmPoolImages: - k8s.gcr.io/kube-proxy:v1.21.0 -- k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.0.0 +- k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.1.0 - k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0 - k8s.gcr.io/sig-storage/livenessprobe:v2.2.0 - quay.io/cilium/cilium:v1.10.0 diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index eb8e9472b1..bab66659f2 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -992,23 +992,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1064,43 +1047,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 711538fc42..51b73ecf76 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index 1436c45723..21d4efa254 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.k8s.local": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index ca2b1a4524..519cca0dd5 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1705,23 +1705,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1777,43 +1760,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index e905b07cdb..c7d861912f 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index eff3016e95..3cb9f0de24 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1706,23 +1706,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1778,43 +1761,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index e905b07cdb..c7d861912f 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/mixedinstances.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index 5bf089d91f..fcb2095cb8 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1102,23 +1102,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/nthsqsresources.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1174,43 +1157,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 16e508bcbd..d3997fbfff 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/nthsqsresources.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index 00db6db9da..329318a8b5 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1509,23 +1509,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/private-shared-ip.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1581,43 +1564,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 403d72cc4f..e097a5a82d 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/private-shared-ip.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index 85d5b9ba32..82f616168b 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/private-shared-subnet.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 3fff21f96a..e0fb4e7fce 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1665,23 +1665,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecalico.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1737,43 +1720,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index 15604b5e72..c44a20bf2c 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecalico.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index ab146ecb23..d98db02a8d 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecanal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index bf391a28a7..a1fb1044ff 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1651,23 +1651,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1723,43 +1706,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 0c457d0f94..85875dd28f 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index bf391a28a7..a1fb1044ff 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1651,23 +1651,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1723,43 +1706,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 0c457d0f94..85875dd28f 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatecilium.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 56498dd555..df447bf572 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1684,23 +1684,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privateciliumadvanced.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -1756,43 +1739,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index 7144b2b0c0..baa8cc53ec 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privateciliumadvanced.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 2fa13e762b..797f54444a 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatedns1.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 90eb539783..70c3cae5e6 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatedns2.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 005c9911ff..1dd3fda051 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privateflannel.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 4992f3150e..4f0d821199 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privatekopeio.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 50e095db4d..372df4b6dd 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/privateweave.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index c2fdaa0ef4..50e1103044 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index f72aeb9480..28d2b40f02 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/sharedsubnet.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 484105b9ef..232ea1580a 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/sharedvpc.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 6d690bbc8a..574f17c47e 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/unmanaged.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 711538fc42..51b73ecf76 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -46,23 +46,6 @@ "*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "autoscaling:CompleteLifecycleAction", "Condition": { @@ -118,43 +101,34 @@ }, { "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", + "ec2:DescribeVpcs", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ],