diff --git a/pkg/model/components/addonmanifests/awsebscsidriver/iam.go b/pkg/model/components/addonmanifests/awsebscsidriver/iam.go index 3175e737cd..7512ac5ead 100644 --- a/pkg/model/components/addonmanifests/awsebscsidriver/iam.go +++ b/pkg/model/components/addonmanifests/awsebscsidriver/iam.go @@ -36,7 +36,7 @@ func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, erro p := iam.NewPolicy(clusterName) addSnapshotControllerPermissions := b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) - iam.AddAWSEBSCSIDriverPermissions(p, b.Cluster.ObjectMeta.Name, addSnapshotControllerPermissions) + iam.AddAWSEBSCSIDriverPermissions(p, addSnapshotControllerPermissions) return p, nil } diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index bface606ac..b965adecfe 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -317,9 +317,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { resource := createResource(b) clusterName := b.Cluster.GetName() - p := &Policy{ - Version: PolicyDefaultVersion, - } + p := NewPolicy(clusterName) AddMasterEC2Policies(p, resource, b.Cluster.GetName()) addASLifecyclePolicies(p, resource, b.Cluster.GetName(), true) @@ -343,7 +341,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { if !b.UseServiceAccountIAM { esc := b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) - AddAWSEBSCSIDriverPermissions(p, clusterName, esc) + AddAWSEBSCSIDriverPermissions(p, esc) if b.Cluster.Spec.AWSLoadBalancerController != nil && fi.BoolValue(b.Cluster.Spec.AWSLoadBalancerController.Enabled) { AddAWSLoadbalancerControllerPermissions(p, resource, b.Cluster.GetName()) @@ -377,7 +375,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { } if b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) { - addSnapshotPersmissions(p, b.Cluster.GetName()) + addSnapshotPersmissions(p) } return p, nil } @@ -829,54 +827,38 @@ func AddClusterAutoscalerPermissions(p *Policy, clusterName string) { } // AddAWSEBSCSIDriverPermissions appens policy statements that the AWS EBS CSI Driver needs to operate. -func AddAWSEBSCSIDriverPermissions(p *Policy, clusterName string, appendSnapshotPermissions bool) { - - everything := stringorslice.String("*") +func AddAWSEBSCSIDriverPermissions(p *Policy, appendSnapshotPermissions bool) { if appendSnapshotPermissions { - addSnapshotPersmissions(p, clusterName) + addSnapshotPersmissions(p) } + p.unconditionalAction.Insert( + "ec2:DescribeAccountAttributes", // aws.go + "ec2:DescribeInstances", // aws.go + "ec2:DescribeVolumes", // aws.go + "ec2:DescribeVolumesModifications", // aws.go + "ec2:DescribeTags", // aws.go + ) + p.clusterTaggedAction.Insert( + "ec2:ModifyVolume", // aws.go + "ec2:ModifyInstanceAttribute", // aws.go + "ec2:AttachVolume", // aws.go + "ec2:DeleteVolume", // aws.go + "ec2:DetachVolume", // aws.go + ) + p.Statement = append(p.Statement, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{ - "ec2:DescribeAccountAttributes", // aws.go - "ec2:DescribeInstances", // aws.go - "ec2:DescribeVolumes", // aws.go - "ec2:DescribeVolumesModifications", // aws.go - "ec2:DescribeTags", // aws.go - }), - Resource: everything, - }, &Statement{ Effect: StatementEffectAllow, Action: stringorslice.Slice([]string{ "ec2:CreateVolume", // aws.go }), - Resource: everything, + Resource: stringorslice.String("*"), Condition: Condition{ "StringEquals": map[string]string{ - "aws:RequestTag/KubernetesCluster": clusterName, - }, - }, - }, - - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{ - "ec2:ModifyVolume", // aws.go - "ec2:ModifyInstanceAttribute", // aws.go - "ec2:AttachVolume", // aws.go - "ec2:DeleteVolume", // aws.go - "ec2:DetachVolume", // aws.go - }), - - Resource: everything, - Condition: Condition{ - "StringEquals": map[string]string{ - "aws:ResourceTag/KubernetesCluster": clusterName, + "aws:RequestTag/KubernetesCluster": p.clusterName, }, }, }, @@ -916,51 +898,22 @@ func AddAWSEBSCSIDriverPermissions(p *Policy, clusterName string, appendSnapshot ), Condition: Condition{ "StringEquals": map[string]string{ - "ec2:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }, - - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:AttachVolume", // aws.go - "ec2:DeleteVolume", // aws.go - "ec2:DetachVolume", // aws.go - "ec2:RevokeSecurityGroupIngress", // aws.go - ), - Resource: everything, - Condition: Condition{ - "StringEquals": map[string]string{ - "ec2:ResourceTag/KubernetesCluster": clusterName, + "aws:ResourceTag/KubernetesCluster": p.clusterName, }, }, }, ) } -func addSnapshotPersmissions(p *Policy, clusterName string) { - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:CreateSnapshot", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeSnapshots", - ), - Resource: stringorslice.Slice([]string{"*"}), - }) - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:DeleteSnapshot", - ), - Resource: stringorslice.Slice([]string{"*"}), - Condition: Condition{ - "StringEquals": map[string]string{ - "aws:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }) +func addSnapshotPersmissions(p *Policy) { + p.unconditionalAction.Insert( + "ec2:CreateSnapshot", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSnapshots", + ) + p.clusterTaggedAction.Insert( + "ec2:DeleteSnapshot", + ) } diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 1cc65bb873..69856b5543 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -189,17 +189,6 @@ "key-id-3" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -212,22 +201,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -248,7 +221,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" } }, "Effect": "Allow", @@ -257,21 +230,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -297,6 +255,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index 0a3b0f94d6..1813da14e4 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -189,17 +189,6 @@ "key-id-3" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -212,22 +201,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -248,7 +221,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" } }, "Effect": "Allow", @@ -257,21 +230,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -312,6 +270,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 4ec44b924e..3be9f898a7 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1439,17 +1439,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1462,22 +1451,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1498,7 +1471,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -1507,21 +1480,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1547,6 +1505,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index e5e3862b89..78630f226f 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" + "aws:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 0c86105209..2aa570d686 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1749,17 +1749,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1772,22 +1761,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1808,7 +1781,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "complex.example.com" + "aws:ResourceTag/KubernetesCluster": "complex.example.com" } }, "Effect": "Allow", @@ -1817,21 +1790,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1857,6 +1815,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 8f2b8a8585..650d9ef590 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "complex.example.com" + "aws:ResourceTag/KubernetesCluster": "complex.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index d7bfe6eac6..fb8bb9ad0e 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "compress.example.com" + "aws:ResourceTag/KubernetesCluster": "compress.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "compress.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 1c7b40f4c9..c1f50da909 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -1135,17 +1135,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1158,22 +1147,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1194,7 +1167,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "containerd.example.com" + "aws:ResourceTag/KubernetesCluster": "containerd.example.com" } }, "Effect": "Allow", @@ -1203,21 +1176,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1243,6 +1201,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 1c7b40f4c9..c1f50da909 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -1135,17 +1135,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1158,22 +1147,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1194,7 +1167,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "containerd.example.com" + "aws:ResourceTag/KubernetesCluster": "containerd.example.com" } }, "Effect": "Allow", @@ -1203,21 +1176,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1243,6 +1201,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 3a052584b7..b8003db5c9 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -1135,17 +1135,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1158,22 +1147,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1194,7 +1167,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "docker.example.com" + "aws:ResourceTag/KubernetesCluster": "docker.example.com" } }, "Effect": "Allow", @@ -1203,21 +1176,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1243,6 +1201,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "docker.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index 6e2e0966b4..b3e4be92fe 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "existingsg.example.com" + "aws:ResourceTag/KubernetesCluster": "existingsg.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "existingsg.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index f33d9522c9..7587312fde 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1151,17 +1151,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1174,22 +1163,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1210,7 +1183,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externallb.example.com" + "aws:ResourceTag/KubernetesCluster": "externallb.example.com" } }, "Effect": "Allow", @@ -1219,21 +1192,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1259,6 +1217,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 5221234f09..3586005b00 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externallb.example.com" + "aws:ResourceTag/KubernetesCluster": "externallb.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index af6689d677..0e0bc3e2ff 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externalpolicies.example.com" + "aws:ResourceTag/KubernetesCluster": "externalpolicies.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "externalpolicies.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 055cc01000..c2268616fc 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "ha.example.com" + "aws:ResourceTag/KubernetesCluster": "ha.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "ha.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 51b73ecf76..dbd060bb07 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index 3077cf2aaf..d131ec1517 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -183,40 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:CreateSnapshot", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeSnapshots" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "ec2:DeleteSnapshot", - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -229,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -265,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -274,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:DescribeAvailabilityZones", @@ -391,25 +326,33 @@ { "Action": [ "ec2:CreateSnapshot", + "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", - "ec2:DescribeSnapshots" + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { - "Action": "ec2:DeleteSnapshot", + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], "Condition": { "StringEquals": { "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index 278a91ef72..f65fe45514 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -1135,17 +1135,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1158,22 +1147,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1194,7 +1167,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" } }, "Effect": "Allow", @@ -1203,21 +1176,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1243,6 +1201,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index 8442ee788a..89ad4fe2b0 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -1131,17 +1131,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1154,22 +1143,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1190,7 +1163,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -1199,21 +1172,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1239,6 +1197,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 51b73ecf76..dbd060bb07 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index da2933fa44..71df3d9e8d 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1312,17 +1312,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1335,22 +1324,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1371,7 +1344,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" } }, "Effect": "Allow", @@ -1380,21 +1353,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1420,6 +1378,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index c988978327..e8e35ce5e0 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index 15fe07a28b..bc1bc88ec5 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-json.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-json.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-json.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index 1da57a041a..1d48ea7c56 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index c2500344fb..5ec6f72551 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -1135,17 +1135,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1158,22 +1147,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1194,7 +1167,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -1203,21 +1176,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1243,6 +1201,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 51b73ecf76..dbd060bb07 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index 21d4efa254..c558dccb84 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -154,17 +154,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -177,22 +166,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -213,7 +186,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.k8s.local" + "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local" } }, "Effect": "Allow", @@ -222,21 +195,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -262,6 +220,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index bd78bd40ed..ec21bfb895 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1854,17 +1854,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1877,22 +1866,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1913,7 +1886,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" } }, "Effect": "Allow", @@ -1922,21 +1895,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1962,6 +1920,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index c7d861912f..4859e5cbb9 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 8e01883c23..4ed88180f6 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1855,17 +1855,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1878,22 +1867,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1914,7 +1887,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" } }, "Effect": "Allow", @@ -1923,21 +1896,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1963,6 +1921,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index c7d861912f..4859e5cbb9 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index fd7f803736..340b61e82a 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1245,17 +1245,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1268,22 +1257,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1304,7 +1277,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" } }, "Effect": "Allow", @@ -1313,21 +1286,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1365,6 +1323,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index d3997fbfff..386251af38 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -303,6 +261,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index 4bcb322dd3..76d8c73f7b 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1655,17 +1655,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1678,22 +1667,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1714,7 +1687,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" } }, "Effect": "Allow", @@ -1723,21 +1696,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1763,6 +1721,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index e097a5a82d..ae10dc3d65 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index 82f616168b..1b8eed32e3 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" + "aws:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index d93fe81b38..0ebf710194 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1811,17 +1811,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1834,22 +1823,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1870,7 +1843,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" } }, "Effect": "Allow", @@ -1879,21 +1852,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1929,6 +1887,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index 97fc500314..ab3672d1a0 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -301,6 +259,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index d98db02a8d..0d69ec1475 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecanal.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecanal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 9f90ee6a59..ad80e5ac9a 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1797,17 +1797,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1820,22 +1809,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1856,7 +1829,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" } }, "Effect": "Allow", @@ -1865,21 +1838,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1905,6 +1863,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 85875dd28f..b9e6157ea4 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 9f90ee6a59..ad80e5ac9a 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1797,17 +1797,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1820,22 +1809,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1856,7 +1829,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" } }, "Effect": "Allow", @@ -1865,21 +1838,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1905,6 +1863,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 85875dd28f..b9e6157ea4 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 3d3d759a25..2f92fb44e5 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1830,17 +1830,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -1853,22 +1842,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1889,7 +1862,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" } }, "Effect": "Allow", @@ -1898,21 +1871,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -1958,6 +1916,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index baa8cc53ec..3f18d555c6 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -311,6 +269,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 797f54444a..cca52cd16b 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatedns1.example.com" + "aws:ResourceTag/KubernetesCluster": "privatedns1.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatedns1.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 70c3cae5e6..5c010a9267 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatedns2.example.com" + "aws:ResourceTag/KubernetesCluster": "privatedns2.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatedns2.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 1dd3fda051..3cc4acf2ad 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateflannel.example.com" + "aws:ResourceTag/KubernetesCluster": "privateflannel.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateflannel.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 4f0d821199..474b21e468 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatekopeio.example.com" + "aws:ResourceTag/KubernetesCluster": "privatekopeio.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privatekopeio.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 372df4b6dd..0a0287d973 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateweave.example.com" + "aws:ResourceTag/KubernetesCluster": "privateweave.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "privateweave.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 28d2b40f02..66b78db8dd 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" + "aws:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 232ea1580a..7ec1b5490d 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "sharedvpc.example.com" + "aws:ResourceTag/KubernetesCluster": "sharedvpc.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "sharedvpc.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 574f17c47e..34339e6cae 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "unmanaged.example.com" + "aws:ResourceTag/KubernetesCluster": "unmanaged.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "unmanaged.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 51b73ecf76..dbd060bb07 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -183,17 +183,6 @@ "*" ] }, - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeTags" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "ec2:CreateVolume" @@ -206,22 +195,6 @@ "Effect": "Allow", "Resource": "*" }, - { - "Action": [ - "ec2:ModifyVolume", - "ec2:ModifyInstanceAttribute", - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -242,7 +215,7 @@ "Action": "ec2:DeleteTags", "Condition": { "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" } }, "Effect": "Allow", @@ -251,21 +224,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "autoscaling:SetDesiredCapacity", @@ -291,6 +249,33 @@ "Resource": [ "*" ] + }, + { + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17"