Skip to content

Commit

Permalink
ci: enable tagging PodIdentityAssociations (#5544)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmdeal
jmdeal authored Jan 27, 2024
1 parent d5e7c98 commit 0c90c4f
Showing 1 changed file with 24 additions and 16 deletions.
40 changes: 24 additions & 16 deletions test/cloudformation/iam_cloudformation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ Resources:
- !Sub "arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/eksctl-*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
Expand All @@ -64,28 +64,28 @@ Resources:
Resource: !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:action/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
- fis:CreateExperimentTemplate
- fis:DeleteExperimentTemplate
- fis:StartExperiment
Resource:
Resource:
- !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:experiment-template/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
- fis:GetExperiment
- fis:StartExperiment
Resource:
Resource:
- !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:experiment/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
Expand All @@ -105,11 +105,11 @@ Resources:
- sqs:RemovePermission
- sqs:DeleteQueue
- sqs:UntagQueue
Resource:
Resource:
- !Sub "arn:${AWS::Partition}:sqs:*:${AWS::AccountId}:*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
Expand All @@ -122,7 +122,7 @@ Resources:
Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:rule/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action: timestream:WriteRecords
Expand Down Expand Up @@ -183,7 +183,7 @@ Resources:
- iam:ListInstanceProfiles
- iam:ListInstanceProfileTags
Resource:
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*"
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*"
- Effect: Allow
Action:
- iam:AddRoleToInstanceProfile
Expand Down Expand Up @@ -236,7 +236,7 @@ Resources:
Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
Expand All @@ -246,7 +246,7 @@ Resources:
- !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:addon/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
Expand All @@ -256,7 +256,15 @@ Resources:
Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*"
Condition:
StringEquals:
aws:RequestedRegion:
aws:RequestedRegion:
Ref: Regions
- Effect: Allow
Action:
- eks:TagResource
Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:podidentityassociation/*"
Condition:
StringEquals:
aws:RequestedRegion:
Ref: Regions
# GithubActionsPermissionsBoundary includes all permissions needed for all designated roles provisioned by the GithubActions
# CI task. This includes the cluster ServiceRoles that are generated by EKSCTL and all roles generated with IRSA to interface from the
Expand Down Expand Up @@ -421,9 +429,9 @@ Resources:
Statement:
- Effect: Allow
Action: ec2:SendSpotInstanceInterruptions
Resource:
Resource:
- !Sub "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*"
Condition:
StringEquals:
aws:RequestedRegion:
Ref: Regions
aws:RequestedRegion:
Ref: Regions

0 comments on commit 0c90c4f

Please sign in to comment.