Skip to content

Commit

Permalink
Fix permission resource and condition (#427)
Browse files Browse the repository at this point in the history 
Signed-off-by: rasel <[email protected]>
  • Loading branch information
@Superm4n97
Superm4n97 authored Jan 10, 2025
1 parent 9cdecb1 commit d758eb1
Showing 1 changed file with 158 additions and 97 deletions.
255 changes: 158 additions & 97 deletions files/products/appscode/aws-marketplace/ace_payg_cf_amd64.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,9 @@ Parameters:
Description: "Name of an existing EC2 KeyPair to enable SSH access to the instance."
Type: 'AWS::EC2::KeyPair::KeyName'
DomainWhiteList:
Description: "Domain name for domain whitelisting, only users from this domain can create accounts and log in. Ex: appscode.com"
Description: "Provide a valid and existing domain with an MX record for domain whitelisting. This domain will be used to validate users' email addresses during signup. For example: gmail.com, appscode.com etc."
Type: String
AllowedPattern: '^[^\s]+$'
AllowedPattern: '^(?!:\/\/)([a-zA-Z0-9-]{1,63}\.)+[a-zA-Z]{2,63}$'

Mappings:
InstanceMap:
Expand Down Expand Up @@ -238,113 +238,174 @@ Resources:
Statement:
- Effect: Allow # basic
Action:
- 'aws-marketplace:MeterUsage' # billing
- 's3:*' # s3-bucket
- 's3-object-lambda:*'
- 'eks:DescribeNodegroup' #import cluster permission
- 'ec2:DescribeIpamPools'
- 'ec2:AllocateIpamPoolCidr'
- 'ec2:AttachNetworkInterface'
- 'ec2:DetachNetworkInterface'
- 'ec2:AllocateAddress'
- 'ec2:AssignIpv6Addresses'
- 'ec2:AssignPrivateIpAddresses'
- 'ec2:UnassignPrivateIpAddresses'
- 'ec2:AssociateRouteTable'
- 'ec2:AssociateVpcCidrBlock'
- 'ec2:AttachInternetGateway'
- 'ec2:AuthorizeSecurityGroupIngress'
- 'ec2:CreateCarrierGateway'
- 'ec2:CreateInternetGateway'
- 'ec2:CreateEgressOnlyInternetGateway'
- 'ec2:CreateNatGateway'
- 'ec2:CreateNetworkInterface'
- 'ec2:CreateRoute'
- 'ec2:CreateRouteTable'
- 'ec2:CreateSecurityGroup'
- 'ec2:CreateSubnet'
- 'ec2:CreateTags'
- 'ec2:CreateVpc'
- 'ec2:CreateVpcEndpoint'
- 'ec2:DisassociateVpcCidrBlock'
- 'ec2:ModifyVpcAttribute'
- 'ec2:ModifyVpcEndpoint'
- 'ec2:DeleteCarrierGateway'
- 'ec2:DeleteInternetGateway'
- 'ec2:DeleteEgressOnlyInternetGateway'
- 'ec2:DeleteNatGateway'
- 'ec2:DeleteRouteTable'
- 'ec2:ReplaceRoute'
- 'ec2:DeleteSecurityGroup'
- 'ec2:DeleteSubnet'
- 'ec2:DeleteTags'
- 'ec2:DeleteVpc'
- 'ec2:DeleteVpcEndpoints'
- 'ec2:DescribeAccountAttributes'
- 'ec2:DescribeAddresses'
- 'ec2:DescribeAvailabilityZones'
- 'ec2:DescribeRegions'
- 'eks:DescribeCluster'
- 'eks:ListClusters'
- 'iam:CreateServiceLinkedRole' # iam limited access
- 'ec2:DescribeCarrierGateways'
- 'ec2:DescribeInstances'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeInternetGateways'
- 'ec2:DescribeEgressOnlyInternetGateways'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeImages'
- 'ec2:DescribeNatGateways'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DescribeNetworkInterfaceAttribute'
- 'ec2:DescribeRouteTables'
- 'ec2:DescribeSecurityGroups'
- 'ec2:DescribeSubnets'
- 'ec2:DescribeVpcs'
- 'ec2:DescribeDhcpOptions'
- 'ec2:DescribeVpcAttribute'
- 'ec2:DescribeVpcEndpoints'
- 'ec2:DescribeVolumes'
- 'ec2:DescribeTags'
- 'ec2:DetachInternetGateway'
- 'ec2:DisassociateRouteTable'
- 'ec2:DisassociateAddress'
- 'ec2:ModifyInstanceAttribute'
- 'ec2:ModifyNetworkInterfaceAttribute'
- 'ec2:ModifySubnetAttribute'
- 'ec2:ReleaseAddress'
- 'ec2:RevokeSecurityGroupIngress'
- 'ec2:RunInstances'
- 'ec2:TerminateInstances'
- 'tag:GetResources'
- 'elasticloadbalancing:AddTags'
- 'elasticloadbalancing:CreateLoadBalancer'
- 'elasticloadbalancing:ConfigureHealthCheck'
- 'elasticloadbalancing:DeleteLoadBalancer'
- 'elasticloadbalancing:DeleteTargetGroup'
- 'elasticloadbalancing:DescribeLoadBalancers'
- 'elasticloadbalancing:DescribeLoadBalancerAttributes'
- 'elasticloadbalancing:DescribeTargetGroups'
- 'elasticloadbalancing:ApplySecurityGroupsToLoadBalancer'
- 'elasticloadbalancing:SetSecurityGroups'
- 'elasticloadbalancing:DescribeTags'
- 'elasticloadbalancing:ModifyLoadBalancerAttributes'
- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
- 'elasticloadbalancing:RemoveTags'
- 'elasticloadbalancing:SetSubnets'
- 'elasticloadbalancing:ModifyTargetGroupAttributes'
- 'elasticloadbalancing:CreateTargetGroup'
- 'elasticloadbalancing:DescribeListeners'
- 'elasticloadbalancing:CreateListener'
- 'elasticloadbalancing:DescribeTargetHealth'
- 'elasticloadbalancing:RegisterTargets'
- 'elasticloadbalancing:DeleteListener'
- 'autoscaling:DescribeAutoScalingGroups'
- 'autoscaling:DescribeInstanceRefreshes'
- 'ec2:CreateLaunchTemplate'
- 'ec2:CreateLaunchTemplateVersion'
- 'ec2:DescribeLaunchTemplates'
- 'ec2:DescribeLaunchTemplateVersions'
- 'ec2:DeleteLaunchTemplate'
- 'ec2:DeleteLaunchTemplateVersions'
- 'ec2:DescribeKeyPairs'
- 'ec2:ModifyInstanceMetadataOption'
- 'aws-marketplace:MeterUsage' # billing
- 'ec2:DescribeAvailabilityZones' #import cluster action
- 'ec2:DescribeRegions' #import cluster action
- 'eks:DescribeNodegroup' #import cluster action
- 'eks:DescribeCluster' #import cluster action
- 'eks:ListClusters' #import cluster action
Resource: '*'
- Effect: Allow # cluster create - eks full
- Effect: Allow
Action:
- 'eks:*'
- 'logs:PutRetentionPolicy'
- 'kms:CreateGrant'
- 'kms:DescribeKey'
Resource: '*'
- 'autoscaling:CreateAutoScalingGroup'
- 'autoscaling:UpdateAutoScalingGroup'
- 'autoscaling:CreateOrUpdateTags'
- 'autoscaling:StartInstanceRefresh'
- 'autoscaling:DeleteAutoScalingGroup'
- 'autoscaling:DeleteTags'
Resource: 'arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*'
- Effect: Allow
Action:
- 'iam:CreateServiceLinkedRole'
Resource:
- 'arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
Condition:
StringLike:
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
- Effect: Allow
Action:
- 'ssm:GetParameter'
- 'ssm:GetParameters'
- 'iam:CreateServiceLinkedRole'
Resource:
- 'arn:aws:ssm:*::parameter/aws/*'
- !Join
- ''
- - 'arn:aws:ssm:*:'
- !Ref 'AWS::AccountId'
- ':parameter/aws/*'
- Effect: Allow # cluster create - iam limited
- 'arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing'
Condition:
StringLike:
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
- Effect: Allow
Action:
- 'iam:CreateServiceLinkedRole'
Resource:
- 'arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot'
Condition:
StringLike:
"iam:AWSServiceName": "spot.amazonaws.com"
- Effect: Allow
Action:
- 'iam:CreateInstanceProfile'
- 'iam:DeleteInstanceProfile'
- 'iam:GetInstanceProfile'
- 'iam:RemoveRoleFromInstanceProfile'
- 'iam:GetRole'
- 'iam:CreateRole'
- 'iam:DeleteRole'
- 'iam:AttachRolePolicy'
- 'iam:PutRolePolicy'
- 'iam:UpdateAssumeRolePolicy'
- 'iam:AddRoleToInstanceProfile'
- 'iam:ListInstanceProfilesForRole'
- 'iam:PassRole'
- 'iam:DetachRolePolicy'
- 'iam:DeleteRolePolicy'
- 'iam:GetRolePolicy'
- 'iam:GetOpenIDConnectProvider'
- 'iam:CreateOpenIDConnectProvider'
- 'iam:DeleteOpenIDConnectProvider'
- 'iam:TagOpenIDConnectProvider'
- 'iam:ListAttachedRolePolicies'
- 'iam:TagRole'
- 'iam:UntagRole'
- 'iam:GetPolicy'
- 'iam:CreatePolicy'
- 'iam:DeletePolicy'
- 'iam:ListPolicyVersions'
Resource:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':instance-profile/*'
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/*'
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':policy/*'
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':oidc-provider/*'
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup'
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/*'
- 'arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io'
- Effect: Allow
Action:
- 'secretsmanager:CreateSecret'
- 'secretsmanager:DeleteSecret'
- 'secretsmanager:TagResource'
Resource:
- 'arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*'
- Effect: Allow
Action:
- 'iam:GetRole'
- 'iam:GetUser'
- 's3:CreateBucket'
- 's3:DeleteBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
- 's3:PutBucketPolicy'
- 's3:PutBucketTagging'
Resource:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/*'
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':user/*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonEC2FullAccess'
- 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:*:s3:::cluster-api-provider-aws-*'
- 'arn:*:s3:::ace*'
MeterUsageInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Expand Down

0 comments on commit d758eb1

Please sign in to comment.