From 3db20bed01981a2d4dbc7ad9a6660640c744284b Mon Sep 17 00:00:00 2001 From: Peter Rifel Date: Thu, 19 Aug 2021 23:16:23 -0500 Subject: [PATCH] ./hack/update-expected.sh --- pkg/model/iam/iam_builder.go | 39 ++++++++---- .../iam/tests/iam_builder_master_strict.json | 59 ++++++------------- .../tests/iam_builder_master_strict_ecr.json | 59 ++++++------------- .../apiservernodes/cloudformation.json | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 47 ++++++--------- ...masters.bastionuserdata.example.com_policy | 59 ++++++------------- .../complex/cloudformation.json | 59 ++++++------------- ..._policy_masters.complex.example.com_policy | 59 ++++++------------- ...policy_masters.compress.example.com_policy | 59 ++++++------------- .../containerd-custom/cloudformation.json | 59 ++++++------------- .../containerd/cloudformation.json | 59 ++++++------------- .../docker-custom/cloudformation.json | 59 ++++++------------- ...licy_masters.existingsg.example.com_policy | 59 ++++++------------- .../externallb/cloudformation.json | 59 ++++++------------- ...licy_masters.externallb.example.com_policy | 59 ++++++------------- ...asters.externalpolicies.example.com_policy | 59 ++++++------------- ..._role_policy_masters.ha.example.com_policy | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 59 ++++++------------- ....kube-system.sa.minimal.example.com_policy | 38 ++++++------ ....kube-system.sa.minimal.example.com_policy | 22 ++++--- ..._policy_masters.minimal.example.com_policy | 9 --- ..._policy_masters.minimal.example.com_policy | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 59 ++++++------------- .../minimal-etcd/cloudformation.json | 59 ++++++------------- .../minimal-gp3/cloudformation.json | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 59 ++++++------------- .../minimal-ipv6/cloudformation.json | 59 ++++++------------- ...cy_masters.minimal-ipv6.example.com_policy | 59 ++++++------------- ...cy_masters.minimal-json.example.com_policy | 59 ++++++------------- ...asters.minimal-warmpool.example.com_policy | 59 ++++++------------- .../minimal/cloudformation.json | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 59 ++++++------------- ...le_policy_masters.minimal.k8s.local_policy | 59 ++++++------------- .../mixed_instances/cloudformation.json | 59 ++++++------------- ..._masters.mixedinstances.example.com_policy | 59 ++++++------------- .../mixed_instances_spot/cloudformation.json | 59 ++++++------------- ..._masters.mixedinstances.example.com_policy | 59 ++++++------------- .../nth_sqs_resources/cloudformation.json | 59 ++++++------------- ...masters.nthsqsresources.example.com_policy | 59 ++++++------------- .../private-shared-ip/cloudformation.json | 59 ++++++------------- ...sters.private-shared-ip.example.com_policy | 59 ++++++------------- ...s.private-shared-subnet.example.com_policy | 59 ++++++------------- .../privatecalico/cloudformation.json | 59 ++++++------------- ...y_masters.privatecalico.example.com_policy | 59 ++++++------------- ...cy_masters.privatecanal.example.com_policy | 59 ++++++------------- .../privatecilium/cloudformation.json | 59 ++++++------------- ...y_masters.privatecilium.example.com_policy | 59 ++++++------------- .../privatecilium2/cloudformation.json | 59 ++++++------------- ...y_masters.privatecilium.example.com_policy | 59 ++++++------------- .../privateciliumadvanced/cloudformation.json | 59 ++++++------------- ...s.privateciliumadvanced.example.com_policy | 59 ++++++------------- ...icy_masters.privatedns1.example.com_policy | 59 ++++++------------- ...icy_masters.privatedns2.example.com_policy | 59 ++++++------------- ..._masters.privateflannel.example.com_policy | 59 ++++++------------- ...y_masters.privatekopeio.example.com_policy | 59 ++++++------------- ...cy_masters.privateweave.example.com_policy | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 47 ++++++--------- ...cy_masters.sharedsubnet.example.com_policy | 59 ++++++------------- ...olicy_masters.sharedvpc.example.com_policy | 59 ++++++------------- ...olicy_masters.unmanaged.example.com_policy | 59 ++++++------------- ..._policy_masters.minimal.example.com_policy | 59 ++++++------------- 61 files changed, 1083 insertions(+), 2364 deletions(-) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 930e6ed98b..8bb60fb03e 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -49,11 +49,12 @@ const PolicyDefaultVersion = "2012-10-17" // Policy Struct is a collection of fields that form a valid AWS policy document type Policy struct { - clusterName string - unconditionalAction sets.String - clusterTaggedAction sets.String - Statement []*Statement - Version string + clusterName string + unconditionalAction sets.String + clusterTaggedAction sets.String + clusterTaggedCreateAction sets.String + Statement []*Statement + Version string } // AsJSON converts the policy document to JSON format (parsable by AWS) @@ -77,6 +78,18 @@ func (p *Policy) AsJSON() (string, error) { }, }) } + if len(p.clusterTaggedCreateAction) > 0 { + p.Statement = append(p.Statement, &Statement{ + Effect: StatementEffectAllow, + Action: stringorslice.Of(p.clusterTaggedCreateAction.List()...), + Resource: stringorslice.String("*"), + Condition: Condition{ + "StringEquals": map[string]string{ + "aws:RequestTag/KubernetesCluster": p.clusterName, + }, + }, + }) + } j, err := json.MarshalIndent(p, "", " ") if err != nil { @@ -261,10 +274,11 @@ func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error) { func NewPolicy(clusterName string) *Policy { p := &Policy{ - Version: PolicyDefaultVersion, - clusterName: clusterName, - unconditionalAction: sets.NewString(), - clusterTaggedAction: sets.NewString(), + Version: PolicyDefaultVersion, + clusterName: clusterName, + unconditionalAction: sets.NewString(), + clusterTaggedAction: sets.NewString(), + clusterTaggedCreateAction: sets.NewString(), } return p } @@ -845,6 +859,9 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) { "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + ) + + p.clusterTaggedCreateAction.Insert( "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", @@ -951,10 +968,12 @@ func AddAWSEBSCSIDriverPermissions(p *Policy, appendSnapshotPermissions bool) { "ec2:ModifyVolume", // aws.go "ec2:ModifyInstanceAttribute", // aws.go "ec2:AttachVolume", // aws.go - "ec2:CreateVolume", // aws.go "ec2:DeleteVolume", // aws.go "ec2:DetachVolume", // aws.go ) + p.clusterTaggedCreateAction.Insert( + "ec2:CreateVolume", // aws.go + ) p.Statement = append(p.Statement, &Statement{ diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index fe7305f330..eed8f9cea0 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -57,38 +48,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -195,6 +154,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index ccb0f2f9d0..3965613b2f 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -57,38 +48,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -202,6 +161,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "iam-builder-test.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index ee4a9f4f1e..450dfd44f2 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1216,15 +1216,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1334,38 +1325,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1466,6 +1425,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index 1710195103..836bf55565 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,26 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -203,6 +174,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index 9fa74f0fd2..080dad7fc9 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "bastionuserdata.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index ba2f5eddd8..678d11d8ce 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1566,15 +1566,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1684,38 +1675,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1816,6 +1775,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 20dace975a..2fe0a611e6 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "complex.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index 158b689178..53ade670c1 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "compress.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 66e3b986ad..6b27628a50 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -952,15 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1070,38 +1061,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1202,6 +1161,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 66e3b986ad..6b27628a50 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -952,15 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1070,38 +1061,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1202,6 +1161,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "containerd.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 7c528fe0ee..ecb92a789f 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -952,15 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1070,38 +1061,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1202,6 +1161,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "docker.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index 58e36080b7..bf13f34069 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "existingsg.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index b32f22e995..cc637475a9 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -968,15 +968,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1086,38 +1077,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1218,6 +1177,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 0a9cdd5020..93261014f0 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externallb.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index 300f5b5462..2954677812 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "externalpolicies.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 9710d11557..1103f3bf35 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "ha.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 174cf75583..9e61589bdf 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy index 0ba3d033f7..0652c21f5a 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-cloud-controller-manager.kube-system.sa.minimal.example.com_policy @@ -16,26 +16,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -97,6 +77,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy index 993a4cefa0..e7e073150a 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_ebs-csi-controller-sa.kube-system.sa.minimal.example.com_policy @@ -1,17 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -71,6 +59,16 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": "ec2:CreateVolume", + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index b8395c9bb5..3f8a9c41d3 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy index 0486a8f5a0..cc0e0791ca 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -102,18 +93,6 @@ "*" ] }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -159,26 +138,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "ec2:AuthorizeSecurityGroupIngress", @@ -296,6 +255,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index 63f8b01dd7..c9d77ce224 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -296,6 +255,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index d80712f762..abc0ce3706 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -952,15 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1070,38 +1061,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1202,6 +1161,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-etcd.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index f0fa333d02..e1959dbdca 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -948,15 +948,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1066,38 +1057,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1198,6 +1157,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 174cf75583..9e61589bdf 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 9e9c78a20d..b45589f312 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1129,15 +1129,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1247,38 +1238,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1379,6 +1338,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index 9b8491cb85..e4550eceb3 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-ipv6.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index 3278d4376a..e365f7f8ec 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-json.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index d21622ac5b..a590afec15 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal-warmpool.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index 9af123a782..daa2f5a74c 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -952,15 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1070,38 +1061,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1202,6 +1161,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 174cf75583..9e61589bdf 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index 8f2ab76bed..8e0797695a 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -89,38 +80,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -221,6 +180,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.k8s.local" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 32898f63a7..794c9fc1ad 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1671,15 +1671,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1789,38 +1780,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1921,6 +1880,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 50cde88e5a..9d8d855ec6 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 4c60e0e430..e909e395a1 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1672,15 +1672,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1790,38 +1781,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1922,6 +1881,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 50cde88e5a..9d8d855ec6 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "mixedinstances.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index fb09de86d0..521fdd967d 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1062,15 +1062,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1180,38 +1171,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1315,6 +1274,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index f5fc1f369f..0369b69e7a 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -253,6 +212,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "nthsqsresources.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index d2dfb44be5..2e4d65a730 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1468,15 +1468,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1586,38 +1577,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1718,6 +1677,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 1c45df2ffb..3e6f10ff4d 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-ip.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index 75a3ffc794..8dc9c6c123 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "private-shared-subnet.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index d5fe649c70..cf7459831b 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1624,15 +1624,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1742,38 +1733,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1875,6 +1834,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index 52d6f76935..29b566e01b 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -251,6 +210,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecalico.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index ed9d462876..31fac5b213 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecanal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 4ac9885826..384c7a67cd 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1610,15 +1610,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1728,38 +1719,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1860,6 +1819,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index f1e22f8f61..820d65d3b6 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index a6aedee34a..5855979c0a 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1610,15 +1610,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1728,38 +1719,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1860,6 +1819,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index f1e22f8f61..820d65d3b6 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatecilium.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 3b3ffbf359..c9f565b432 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1643,15 +1643,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -1771,38 +1762,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -1912,6 +1871,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index de5567256d..0fac10a832 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -128,38 +119,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -269,6 +228,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateciliumadvanced.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 02b189a5aa..75df11b15c 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatedns1.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 6e18da6b7b..c1206b9ef6 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatedns2.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 51cb793c02..764e945687 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateflannel.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index e340b618e3..432320541c 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privatekopeio.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 3761c84aba..3b78bf99bb 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "privateweave.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index 1710195103..836bf55565 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,26 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", @@ -203,6 +174,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index fe5321afe1..6a17231680 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "sharedsubnet.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 286f391b8a..72357beb1e 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "sharedvpc.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 4637d5db46..b260ea9bcd 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "unmanaged.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 174cf75583..9e61589bdf 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,14 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": "ec2:AttachVolume", "Condition": { @@ -118,38 +109,6 @@ "arn:aws:ec2:*:*:snapshot/*" ] }, - { - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "ec2:CreateSecurityGroup", - "ec2:CreateVolume", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateVolume" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": "*" - }, { "Action": "ec2:CreateTags", "Condition": { @@ -250,6 +209,24 @@ }, "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateVolume", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateTargetGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17"