From df5b58b1b3ec863a18d38b9cc9cab6aec3f15968 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Thu, 1 Jul 2021 10:24:06 +0200 Subject: [PATCH] Add sets for the typical default role perms --- .../awsloadbalancercontroller/iam.go | 4 +- pkg/model/iam/iam_builder.go | 215 +++++-------- .../iam/tests/iam_builder_master_strict.json | 166 ++-------- .../tests/iam_builder_master_strict_ecr.json | 166 ++-------- .../iam/tests/iam_builder_node_strict.json | 34 +-- .../tests/iam_builder_node_strict_ecr.json | 30 +- .../apiservernodes/cloudformation.json | 286 +++++------------- ....kube-system.sa.minimal.example.com_policy | 64 ++-- ..._policy_masters.minimal.example.com_policy | 157 +++------- ...le_policy_nodes.minimal.example.com_policy | 34 +-- ...masters.bastionuserdata.example.com_policy | 144 ++------- ...y_nodes.bastionuserdata.example.com_policy | 34 +-- .../complex/cloudformation.json | 178 +++-------- ..._policy_masters.complex.example.com_policy | 144 ++------- ...le_policy_nodes.complex.example.com_policy | 34 +-- ...policy_masters.compress.example.com_policy | 144 ++------- ...e_policy_nodes.compress.example.com_policy | 34 +-- .../containerd-custom/cloudformation.json | 178 +++-------- .../containerd/cloudformation.json | 178 +++-------- .../docker-custom/cloudformation.json | 178 +++-------- ...licy_masters.existingsg.example.com_policy | 144 ++------- ...policy_nodes.existingsg.example.com_policy | 34 +-- .../externallb/cloudformation.json | 178 +++-------- ...licy_masters.externallb.example.com_policy | 144 ++------- ...policy_nodes.externallb.example.com_policy | 34 +-- ...asters.externalpolicies.example.com_policy | 144 ++------- ..._nodes.externalpolicies.example.com_policy | 34 +-- ..._role_policy_masters.ha.example.com_policy | 144 ++------- ...am_role_policy_nodes.ha.example.com_policy | 34 +-- ..._policy_masters.minimal.example.com_policy | 144 ++------- ...le_policy_nodes.minimal.example.com_policy | 34 +-- ..._policy_masters.minimal.example.com_policy | 148 ++------- ...le_policy_nodes.minimal.example.com_policy | 38 +-- .../minimal-etcd/cloudformation.json | 178 +++-------- .../minimal-gp3/cloudformation.json | 178 +++-------- ..._policy_masters.minimal.example.com_policy | 144 ++------- ...le_policy_nodes.minimal.example.com_policy | 34 +-- .../minimal-ipv6/cloudformation.json | 178 +++-------- ...cy_masters.minimal-ipv6.example.com_policy | 144 ++------- ...licy_nodes.minimal-ipv6.example.com_policy | 34 +-- ...cy_masters.minimal-json.example.com_policy | 144 ++------- ...licy_nodes.minimal-json.example.com_policy | 34 +-- ...asters.minimal-warmpool.example.com_policy | 144 ++------- ..._nodes.minimal-warmpool.example.com_policy | 34 +-- .../minimal/cloudformation.json | 178 +++-------- ..._policy_masters.minimal.example.com_policy | 144 ++------- ...le_policy_nodes.minimal.example.com_policy | 34 +-- ...le_policy_masters.minimal.k8s.local_policy | 144 ++------- ...role_policy_nodes.minimal.k8s.local_policy | 34 +-- .../mixed_instances/cloudformation.json | 178 +++-------- ..._masters.mixedinstances.example.com_policy | 144 ++------- ...cy_nodes.mixedinstances.example.com_policy | 34 +-- .../mixed_instances_spot/cloudformation.json | 178 +++-------- ..._masters.mixedinstances.example.com_policy | 144 ++------- ...cy_nodes.mixedinstances.example.com_policy | 34 +-- .../nth_sqs_resources/cloudformation.json | 182 +++-------- ...masters.nthsqsresources.example.com_policy | 148 ++------- ...y_nodes.nthsqsresources.example.com_policy | 34 +-- .../private-shared-ip/cloudformation.json | 178 +++-------- ...sters.private-shared-ip.example.com_policy | 144 ++------- ...nodes.private-shared-ip.example.com_policy | 34 +-- ...s.private-shared-subnet.example.com_policy | 144 ++------- ...s.private-shared-subnet.example.com_policy | 34 +-- .../privatecalico/cloudformation.json | 173 ++--------- ...y_masters.privatecalico.example.com_policy | 144 ++------- ...icy_nodes.privatecalico.example.com_policy | 29 +- ...cy_masters.privatecanal.example.com_policy | 144 ++------- ...licy_nodes.privatecanal.example.com_policy | 34 +-- .../privatecilium/cloudformation.json | 178 +++-------- ...y_masters.privatecilium.example.com_policy | 144 ++------- ...icy_nodes.privatecilium.example.com_policy | 34 +-- .../privatecilium2/cloudformation.json | 178 +++-------- ...y_masters.privatecilium.example.com_policy | 144 ++------- ...icy_nodes.privatecilium.example.com_policy | 34 +-- .../privateciliumadvanced/cloudformation.json | 182 +++-------- ...s.privateciliumadvanced.example.com_policy | 148 ++------- ...s.privateciliumadvanced.example.com_policy | 34 +-- ...icy_masters.privatedns1.example.com_policy | 144 ++------- ...olicy_nodes.privatedns1.example.com_policy | 34 +-- ...icy_masters.privatedns2.example.com_policy | 144 ++------- ...olicy_nodes.privatedns2.example.com_policy | 34 +-- ..._masters.privateflannel.example.com_policy | 144 ++------- ...cy_nodes.privateflannel.example.com_policy | 34 +-- ...y_masters.privatekopeio.example.com_policy | 144 ++------- ...icy_nodes.privatekopeio.example.com_policy | 34 +-- ...cy_masters.privateweave.example.com_policy | 144 ++------- ...licy_nodes.privateweave.example.com_policy | 34 +-- ..._policy_masters.minimal.example.com_policy | 157 +++------- ...le_policy_nodes.minimal.example.com_policy | 34 +-- ...cy_masters.sharedsubnet.example.com_policy | 144 ++------- ...licy_nodes.sharedsubnet.example.com_policy | 34 +-- ...olicy_masters.sharedvpc.example.com_policy | 144 ++------- ..._policy_nodes.sharedvpc.example.com_policy | 34 +-- ...olicy_masters.unmanaged.example.com_policy | 144 ++------- ..._policy_nodes.unmanaged.example.com_policy | 34 +-- ..._policy_masters.minimal.example.com_policy | 144 ++------- ...le_policy_nodes.minimal.example.com_policy | 34 +-- 97 files changed, 2179 insertions(+), 8260 deletions(-) diff --git a/pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go b/pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go index 3f0bec3547..f27e4f3d31 100644 --- a/pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go +++ b/pkg/model/components/addonmanifests/awsloadbalancercontroller/iam.go @@ -19,7 +19,6 @@ package awsloadbalancercontroller import ( "k8s.io/apimachinery/pkg/types" "k8s.io/kops/pkg/model/iam" - "k8s.io/kops/pkg/util/stringorslice" ) // ServiceAccount represents the service-account used by the dns-controller. @@ -31,12 +30,11 @@ var _ iam.Subject = &ServiceAccount{} // BuildAWSPolicy generates a custom policy for a ServiceAccount IAM role. func (r *ServiceAccount) BuildAWSPolicy(b *iam.PolicyBuilder) (*iam.Policy, error) { - resource := stringorslice.Slice([]string{"*"}) clusterName := b.Cluster.ObjectMeta.Name p := iam.NewPolicy(clusterName) iam.AddAWSLoadbalancerControllerPermissions(p) - iam.AddMasterEC2Policies(p, resource, clusterName) + iam.AddMasterEC2Policies(p) iam.AddMasterELBPolicies(p) return p, nil diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 4d33e164e8..058b18f62d 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -271,13 +271,13 @@ func NewPolicy(clusterName string) *Policy { // BuildAWSPolicy generates a custom policy for a Kubernetes master. func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { - resource := createResource(b) + resource := stringorslice.String("*") p := NewPolicy(b.Cluster.GetClusterName()) - AddMasterEC2Policies(p, resource, b.Cluster.GetName()) - addASLifecyclePolicies(p, resource, b.Cluster.GetName(), r.warmPool) - addCertIAMPolicies(p, resource) + AddMasterEC2Policies(p) + addASLifecyclePolicies(p, r.warmPool) + addCertIAMPolicies(p) addKMSGenerateRandomPolicies(p) var err error @@ -314,16 +314,16 @@ func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { // BuildAWSPolicy generates a custom policy for a Kubernetes master. func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { - resource := createResource(b) + resource := stringorslice.String("*") clusterName := b.Cluster.GetName() p := NewPolicy(clusterName) - AddMasterEC2Policies(p, resource, b.Cluster.GetName()) - addASLifecyclePolicies(p, resource, b.Cluster.GetName(), true) - addMasterASPolicies(p, resource, b.Cluster.GetName()) + AddMasterEC2Policies(p) + addASLifecyclePolicies(p, true) + addMasterASPolicies(p) AddMasterELBPolicies(p) - addCertIAMPolicies(p, resource) + addCertIAMPolicies(p) addKMSGenerateRandomPolicies(p) var err error @@ -382,12 +382,12 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { // BuildAWSPolicy generates a custom policy for a Kubernetes node. func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { - resource := createResource(b) + resource := stringorslice.String("*") p := NewPolicy(b.Cluster.GetClusterName()) - addNodeEC2Policies(p, resource) - addASLifecyclePolicies(p, resource, b.Cluster.GetName(), r.enableLifecycleHookPermissions) + addNodeEC2Policies(p) + addASLifecyclePolicies(p, r.enableLifecycleHookPermissions) addKMSGenerateRandomPolicies(p) var err error @@ -949,41 +949,31 @@ func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy) { func addKMSIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) { // TODO could use "kms:ViaService" Condition Key here? - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*", - ), - Resource: resource, - }) + p.unconditionalAction.Insert( + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", + ) } func addKMSGenerateRandomPolicies(p *Policy) { // For nodeup to seed the instance's random number generator. - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "kms:GenerateRandom", - ), - Resource: stringorslice.Slice([]string{"*"}), - }) + p.unconditionalAction.Insert( + "kms:GenerateRandom", + ) } -func addNodeEC2Policies(p *Policy, resource stringorslice.StringOrSlice) { +func addNodeEC2Policies(p *Policy) { // Protokube makes a DescribeInstances call, DescribeRegions when finding S3 State Bucket - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{"ec2:DescribeInstances", "ec2:DescribeRegions"}), - Resource: resource, - }) + p.unconditionalAction.Insert( + "ec2:DescribeInstances", "ec2:DescribeRegions", + ) } -func AddMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, clusterName string) { +func AddMasterEC2Policies(p *Policy) { // Describe* calls don't support any additional IAM restrictions // The non-Describe* ec2 calls support different types of filtering: // http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html @@ -995,47 +985,26 @@ func AddMasterEC2Policies(p *Policy, resource stringorslice.StringOrSlice, clust // Network Routing Permissions - May not be required with the CNI Networking provider // Comments are which cloudprovider code file makes the call - p.Statement = append(p.Statement, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{ - "ec2:DescribeAccountAttributes", // aws.go - "ec2:DescribeInstances", // aws.go - "ec2:DescribeInternetGateways", // aws.go - "ec2:DescribeRegions", // s3context.go - "ec2:DescribeRouteTables", // aws.go - "ec2:DescribeSecurityGroups", // aws.go - "ec2:DescribeSubnets", // aws.go - "ec2:DescribeVolumes", // aws.go - }), - Resource: resource, - }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{ - "ec2:CreateSecurityGroup", // aws.go - "ec2:CreateTags", // aws.go, tag.go - "ec2:ModifyInstanceAttribute", // aws.go - }), - Resource: resource, - }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "ec2:AttachVolume", // aws.go - "ec2:AuthorizeSecurityGroupIngress", // aws.go - "ec2:CreateRoute", // aws.go - "ec2:DeleteRoute", // aws.go - "ec2:DeleteSecurityGroup", // aws.go - "ec2:RevokeSecurityGroupIngress", // aws.go - ), - Resource: resource, - Condition: Condition{ - "StringEquals": map[string]string{ - "ec2:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }, + p.unconditionalAction.Insert( + "ec2:DescribeAccountAttributes", // aws.go + "ec2:DescribeInstances", // aws.go + "ec2:DescribeInternetGateways", // aws.go + "ec2:DescribeRegions", // s3context.go + "ec2:DescribeRouteTables", // aws.go + "ec2:DescribeSecurityGroups", // aws.go + "ec2:DescribeSubnets", // aws.go + "ec2:DescribeVolumes", // aws.go + "ec2:CreateSecurityGroup", // aws.go + "ec2:CreateTags", // aws.go, tag.go + "ec2:ModifyInstanceAttribute", // aws.go + ) + p.clusterTaggedAction.Insert( + "ec2:AttachVolume", // aws.go + "ec2:AuthorizeSecurityGroupIngress", // aws.go + "ec2:CreateRoute", // aws.go + "ec2:DeleteRoute", // aws.go + "ec2:DeleteSecurityGroup", // aws.go + "ec2:RevokeSecurityGroupIngress", // aws.go ) } @@ -1075,81 +1044,41 @@ func AddMasterELBPolicies(p *Policy) { ) } -func addMasterASPolicies(p *Policy, resource stringorslice.StringOrSlice, clusterName string) { +func addMasterASPolicies(p *Policy) { // Comments are which cloudprovider / autoscaler code file makes the call // TODO: Make optional only if using autoscalers - p.Statement = append(p.Statement, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "autoscaling:DescribeAutoScalingGroups", // aws_instancegroups.go - "autoscaling:DescribeLaunchConfigurations", // aws.go - "autoscaling:DescribeTags", // auto_scaling.go - "ec2:DescribeLaunchTemplateVersions", - ), - Resource: resource, - }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "autoscaling:CompleteLifecycleAction", // aws_manager.go - "autoscaling:DescribeAutoScalingInstances", // aws_instancegroups.go - ), - Resource: resource, - Condition: Condition{ - "StringEquals": map[string]string{ - "autoscaling:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }, + p.unconditionalAction.Insert( + "autoscaling:DescribeAutoScalingGroups", // aws_instancegroups.go + "autoscaling:DescribeLaunchConfigurations", // aws.go + "autoscaling:DescribeTags", // auto_scaling.go + "ec2:DescribeLaunchTemplateVersions", + ) + p.clusterTaggedAction.Insert( + "autoscaling:CompleteLifecycleAction", // aws_manager.go + "autoscaling:DescribeAutoScalingInstances", // aws_instancegroups.go ) } -func addASLifecyclePolicies(p *Policy, resource stringorslice.StringOrSlice, clusterName string, enableHookSupport bool) { +func addASLifecyclePolicies(p *Policy, enableHookSupport bool) { if enableHookSupport { - p.Statement = append(p.Statement, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "autoscaling:CompleteLifecycleAction", // aws_manager.go - ), - Resource: resource, - Condition: Condition{ - "StringEquals": map[string]string{ - "autoscaling:ResourceTag/KubernetesCluster": clusterName, - }, - }, - }, - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "autoscaling:DescribeLifecycleHooks", - ), - Resource: resource, - }, + p.clusterTaggedAction.Insert( + "autoscaling:CompleteLifecycleAction", // aws_manager.go + ) + p.unconditionalAction.Insert( + "autoscaling:DescribeLifecycleHooks", ) } - p.Statement = append(p.Statement, - - &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "autoscaling:DescribeAutoScalingInstances", - ), - Resource: resource, - }) + p.unconditionalAction.Insert( + "autoscaling:DescribeAutoScalingInstances", + ) } -func addCertIAMPolicies(p *Policy, resource stringorslice.StringOrSlice) { +func addCertIAMPolicies(p *Policy) { // TODO: Make optional only if using IAM SSL Certs on ELBs - p.Statement = append(p.Statement, &Statement{ - Effect: StatementEffectAllow, - Action: stringorslice.Of( - "iam:ListServerCertificates", - "iam:GetServerCertificate", - ), - Resource: resource, - }) + p.unconditionalAction.Insert( + "iam:ListServerCertificates", + "iam:GetServerCertificate", + ) } func addLyftVPCPermissions(p *Policy, resource stringorslice.StringOrSlice, clusterName string) { diff --git a/pkg/model/iam/tests/iam_builder_master_strict.json b/pkg/model/iam/tests/iam_builder_master_strict.json index 682910dcbd..6212c95346 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict.json +++ b/pkg/model/iam/tests/iam_builder_master_strict.json @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -135,22 +19,6 @@ "arn:aws:s3:::kops-tests" ] }, - { - "Action": [ - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": [ - "key-id-1", - "key-id-2", - "key-id-3" - ] - }, { "Action": [ "ec2:CreateVolume" @@ -220,12 +88,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -254,18 +136,34 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:GenerateRandom", + "kms:ReEncrypt*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json index f44a758ab4..b92fec8f40 100644 --- a/pkg/model/iam/tests/iam_builder_master_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_master_strict_ecr.json @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "iam-builder-test.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -135,22 +19,6 @@ "arn:aws:s3:::kops-tests" ] }, - { - "Action": [ - "kms:CreateGrant", - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": [ - "key-id-1", - "key-id-2", - "key-id-3" - ] - }, { "Action": [ "ec2:CreateVolume" @@ -220,12 +88,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", @@ -261,18 +143,34 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:GenerateRandom", + "kms:ReEncrypt*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/pkg/model/iam/tests/iam_builder_node_strict.json b/pkg/model/iam/tests/iam_builder_node_strict.json index dc5b423d86..2eeada7859 100644 --- a/pkg/model/iam/tests/iam_builder_node_strict.json +++ b/pkg/model/iam/tests/iam_builder_node_strict.json @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -51,6 +27,16 @@ "Resource": [ "arn:aws:s3:::kops-tests" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json index 9121881a94..537c8ad3f7 100644 --- a/pkg/model/iam/tests/iam_builder_node_strict_ecr.json +++ b/pkg/model/iam/tests/iam_builder_node_strict_ecr.json @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -54,13 +30,17 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", - "ecr:ListImages" + "ecr:ListImages", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 8fbc56c3b5..16f47d5918 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1170,76 +1170,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1258,6 +1188,44 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:ModifyInstanceAttribute", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" @@ -1275,122 +1243,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1540,12 +1392,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1574,18 +1440,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1611,30 +1487,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1660,6 +1512,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy index 7fac0455a4..b29caea73b 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy @@ -21,55 +21,20 @@ }, { "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeNetworkInterfaces", + "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -107,6 +72,23 @@ ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index f3429c9fa4..d131e25d03 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -198,7 +82,24 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -227,10 +128,32 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_nodes.minimal.example.com_policy index 452bb72a13..ca2ca63d75 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index e3b1d71f5b..23666415a1 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "bastionuserdata.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_nodes.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_nodes.bastionuserdata.example.com_policy index d594890a0c..f72e2e965d 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_nodes.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_nodes.bastionuserdata.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 34194c7836..b1cc93078c 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1566,122 +1566,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1831,12 +1715,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1865,18 +1763,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1902,30 +1810,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1951,6 +1835,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 60a31c2b91..3db7ece6f1 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_nodes.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_nodes.complex.example.com_policy index d53d227874..d806c162c6 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_nodes.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_nodes.complex.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index 6595304e5c..fe15d8d856 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "compress.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_nodes.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_nodes.compress.example.com_policy index 2e6fbf0bee..29ab1f2773 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_nodes.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_nodes.compress.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index cc67af02ca..758223e17b 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -952,122 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1217,12 +1101,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1251,18 +1149,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1288,30 +1196,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1337,6 +1221,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index cc67af02ca..758223e17b 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -952,122 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "containerd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1217,12 +1101,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1251,18 +1149,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1288,30 +1196,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1337,6 +1221,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 1da2421061..4260eebb2c 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -952,122 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "docker.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1217,12 +1101,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1251,18 +1149,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1288,30 +1196,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1337,6 +1221,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index c32967bb51..057901d725 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "existingsg.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_nodes.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_nodes.existingsg.example.com_policy index 56c9f3a124..5a0297b53c 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_nodes.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_nodes.existingsg.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index 49fc62f805..3638efd266 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -968,122 +968,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1233,12 +1117,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1267,18 +1165,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1304,30 +1212,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1353,6 +1237,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 25dd131cc7..282a9d3889 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externallb.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_nodes.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_nodes.externallb.example.com_policy index f6e6e2c555..d42002eb2f 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_nodes.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_nodes.externallb.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index 288dbba504..57212d024c 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "externalpolicies.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_nodes.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_nodes.externalpolicies.example.com_policy index 7515e4e460..8e98d5597b 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_nodes.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_nodes.externalpolicies.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 8538969ab6..0e916269c3 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "ha.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_nodes.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_nodes.ha.example.com_policy index 0f6ad345f4..ac3e4293cf 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_nodes.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_nodes.ha.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 8fadc55224..278ceabb2e 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_nodes.minimal.example.com_policy index 452bb72a13..ca2ca63d75 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index 321039f5c2..22dffe25a2 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -297,9 +181,7 @@ "ec2:UnassignPrivateIpAddresses" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { "Action": [ @@ -312,16 +194,30 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -355,19 +251,29 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_nodes.minimal.example.com_policy index ee36b8cc9a..6260f674fa 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -65,9 +41,7 @@ "ec2:UnassignPrivateIpAddresses" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { "Action": [ @@ -77,6 +51,16 @@ "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index 6640716c8f..15c1699eeb 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -952,122 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-etcd.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1217,12 +1101,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1251,18 +1149,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1288,30 +1196,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1337,6 +1221,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index 0220658707..2a43dfda11 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -948,122 +948,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1213,12 +1097,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1247,18 +1145,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1284,30 +1192,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1333,6 +1217,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 8fadc55224..278ceabb2e 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_nodes.minimal.example.com_policy index 452bb72a13..ca2ca63d75 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index 50e59851d6..831ae517e1 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1129,122 +1129,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1394,12 +1278,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1428,18 +1326,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1465,30 +1373,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1514,6 +1398,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index f3038068ea..fae43e33be 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-ipv6.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy index c8a3b48b12..eba8493283 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index f69ff4c827..b1b74be5f4 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-json.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_nodes.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_nodes.minimal-json.example.com_policy index 3ed68d241a..6e9e41fc84 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_nodes.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_nodes.minimal-json.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index 84ed0f2151..d149ddf293 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal-warmpool.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_nodes.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_nodes.minimal-warmpool.example.com_policy index 8c3fdfa590..191b88cb4f 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_nodes.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_nodes.minimal-warmpool.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index eadfd13614..fcef432230 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -952,122 +952,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1217,12 +1101,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1251,18 +1149,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1288,30 +1196,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1337,6 +1221,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 8fadc55224..278ceabb2e 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_nodes.minimal.example.com_policy index 452bb72a13..ca2ca63d75 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy index 0b899e3188..e1068ffc49 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_masters.minimal.k8s.local_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.k8s.local" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -236,12 +120,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -270,18 +168,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_nodes.minimal.k8s.local_policy b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_nodes.minimal.k8s.local_policy index b274d713e0..37dbb285cc 100644 --- a/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_nodes.minimal.k8s.local_policy +++ b/tests/integration/update_cluster/minimal_gossip/data/aws_iam_role_policy_nodes.minimal.k8s.local_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 4c5a6586ea..bb51a5c435 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1671,122 +1671,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1936,12 +1820,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1970,18 +1868,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -2007,30 +1915,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -2056,6 +1940,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index b782585227..fd77f66485 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy index cc56e1fcc3..95a1bed247 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index 4495746269..ce15587e44 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1672,122 +1672,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1937,12 +1821,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1971,18 +1869,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -2008,30 +1916,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -2057,6 +1941,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index b782585227..fd77f66485 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "mixedinstances.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy index cc56e1fcc3..95a1bed247 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_nodes.mixedinstances.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index a9aaaa77f3..37a0583dcb 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1062,122 +1062,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1333,18 +1217,30 @@ "sqs:ReceiveMessage" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1373,18 +1269,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1410,30 +1316,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1459,6 +1341,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 2395b166f1..e54087d9b8 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "nthsqsresources.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -271,18 +155,30 @@ "sqs:ReceiveMessage" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -311,18 +207,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_nodes.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_nodes.nthsqsresources.example.com_policy index 80aa4c9c5d..36c61cbb55 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_nodes.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_nodes.nthsqsresources.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index 980275f3ef..2ea4b8f03e 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1468,122 +1468,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1733,12 +1617,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1767,18 +1665,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1804,30 +1712,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1853,6 +1737,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 3f35718bbc..b92d1eb236 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-ip.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_nodes.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_nodes.private-shared-ip.example.com_policy index 7d5265c725..ecf7a31fc5 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_nodes.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_nodes.private-shared-ip.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index f53ec85d36..6f3b60260d 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "private-shared-subnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_nodes.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_nodes.private-shared-subnet.example.com_policy index cd1fe7ba96..59eaec197c 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_nodes.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_nodes.private-shared-subnet.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 8761677bf2..3fb6a8ab29 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1624,122 +1624,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1889,12 +1773,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -1924,18 +1822,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1961,30 +1869,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -2013,8 +1897,11 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingInstances", "ec2:DescribeInstances", - "ec2:ModifyNetworkInterfaceAttribute" + "ec2:DescribeRegions", + "ec2:ModifyNetworkInterfaceAttribute", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index ebf4ce0569..95bbfaa297 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecalico.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", @@ -300,18 +198,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy index c324f9893b..a36afc08c8 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -52,8 +28,11 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingInstances", "ec2:DescribeInstances", - "ec2:ModifyNetworkInterfaceAttribute" + "ec2:DescribeRegions", + "ec2:ModifyNetworkInterfaceAttribute", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index 465a444e8a..34abd51ef6 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecanal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy index d0d452b17f..3f8797f443 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_nodes.privatecanal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index efc8c0ee54..97cddee432 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1610,122 +1610,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1875,12 +1759,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1909,18 +1807,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1946,30 +1854,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1995,6 +1879,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index fab47ace3c..31f835211b 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy index ff80b7a8b1..7bbfa56570 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index a74969bc5d..e06dd9d022 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1610,122 +1610,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1875,12 +1759,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1909,18 +1807,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -1946,30 +1854,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1997,6 +1881,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index fab47ace3c..31f835211b 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy index 7d12bd7b16..66647aa9be 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_nodes.privatecilium.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -51,6 +27,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 2923f1fbf9..9f4735c474 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1643,122 +1643,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -1932,18 +1816,30 @@ "ec2:DescribeVpcs" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -1972,18 +1868,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { @@ -2009,30 +1915,6 @@ ], "PolicyDocument": { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -2058,6 +1940,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index 72054e9794..3bcdf37065 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateciliumadvanced.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -289,18 +173,30 @@ "ec2:DescribeVpcs" ], "Effect": "Allow", - "Resource": [ - "*" - ] + "Resource": "*" }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -329,18 +225,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_nodes.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_nodes.privateciliumadvanced.example.com_policy index 57ce8691ce..1297b8e54d 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_nodes.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_nodes.privateciliumadvanced.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index a54165e32c..baccaa2d3f 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatedns1.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_nodes.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_nodes.privatedns1.example.com_policy index 78d96beada..ea8b4ee2c9 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_nodes.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_nodes.privatedns1.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index 66fce1d269..4547890af6 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatedns2.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_nodes.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_nodes.privatedns2.example.com_policy index 42f5710c48..1508b898cc 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_nodes.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_nodes.privatedns2.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 05fb8a0672..45aab29e0e 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateflannel.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_nodes.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_nodes.privateflannel.example.com_policy index 5980ef33fc..bfc32551a7 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_nodes.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_nodes.privateflannel.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 4389997862..48a1ebaf45 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privatekopeio.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_nodes.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_nodes.privatekopeio.example.com_policy index ce7f4aa39d..e5e081fce9 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_nodes.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_nodes.privatekopeio.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 16acc00dbe..ba8b27282c 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "privateweave.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_nodes.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_nodes.privateweave.example.com_policy index 04daae4df3..795dab0201 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_nodes.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_nodes.privateweave.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index f3429c9fa4..d131e25d03 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -198,7 +82,24 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DescribeAccountAttributes", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -227,10 +128,32 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/KubernetesCluster": "minimal.example.com" + } + }, + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_nodes.minimal.example.com_policy index 452bb72a13..ca2ca63d75 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index ff7b74ce22..7cd8687ff7 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "sharedsubnet.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_nodes.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_nodes.sharedsubnet.example.com_policy index 82d912af39..5d33f2705b 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_nodes.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_nodes.sharedsubnet.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index f5613632a5..e19fbdd6c3 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "sharedvpc.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_nodes.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_nodes.sharedvpc.example.com_policy index 0be5224ff8..63ad1f7b83 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_nodes.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_nodes.sharedvpc.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index 4e0a9f128b..1116e6bd83 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "unmanaged.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_nodes.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_nodes.unmanaged.example.com_policy index bc158e67d8..8b89daaed1 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_nodes.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_nodes.unmanaged.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17" diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 8fadc55224..278ceabb2e 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -1,121 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:CompleteLifecycleAction", - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeLifecycleHooks", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "autoscaling:CompleteLifecycleAction", - "autoscaling:DescribeAutoScalingInstances" - ], - "Condition": { - "StringEquals": { - "autoscaling:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "iam:ListServerCertificates", - "iam:GetServerCertificate" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -265,12 +149,26 @@ }, { "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeLifecycleHooks", + "autoscaling:DescribeTags", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", @@ -299,18 +197,28 @@ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:GetServerCertificate", + "iam:ListServerCertificates", + "kms:GenerateRandom" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ + "autoscaling:CompleteLifecycleAction", + "autoscaling:DescribeAutoScalingInstances", "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume" + "ec2:ModifyVolume", + "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_nodes.minimal.example.com_policy index 452bb72a13..ca2ca63d75 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_nodes.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_nodes.minimal.example.com_policy @@ -1,29 +1,5 @@ { "Statement": [ - { - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "autoscaling:DescribeAutoScalingInstances", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "kms:GenerateRandom", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, { "Action": [ "s3:Get*" @@ -49,6 +25,16 @@ "Resource": [ "arn:aws:s3:::placeholder-read-bucket" ] + }, + { + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "kms:GenerateRandom" + ], + "Effect": "Allow", + "Resource": "*" } ], "Version": "2012-10-17"