From 0c90c4f960f8f67b11e45f561ef1295282375710 Mon Sep 17 00:00:00 2001 From: Jason Deal Date: Fri, 26 Jan 2024 17:56:50 -0800 Subject: [PATCH] ci: enable tagging PodIdentityAssociations (#5544) --- test/cloudformation/iam_cloudformation.yaml | 40 ++++++++++++--------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/test/cloudformation/iam_cloudformation.yaml b/test/cloudformation/iam_cloudformation.yaml index e73a54933aeb..757354f702e6 100644 --- a/test/cloudformation/iam_cloudformation.yaml +++ b/test/cloudformation/iam_cloudformation.yaml @@ -49,7 +49,7 @@ Resources: - !Sub "arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/eksctl-*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: @@ -64,28 +64,28 @@ Resources: Resource: !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:action/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: - fis:CreateExperimentTemplate - fis:DeleteExperimentTemplate - fis:StartExperiment - Resource: + Resource: - !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:experiment-template/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: - fis:GetExperiment - fis:StartExperiment - Resource: + Resource: - !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:experiment/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: @@ -105,11 +105,11 @@ Resources: - sqs:RemovePermission - sqs:DeleteQueue - sqs:UntagQueue - Resource: + Resource: - !Sub "arn:${AWS::Partition}:sqs:*:${AWS::AccountId}:*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: @@ -122,7 +122,7 @@ Resources: Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:rule/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: timestream:WriteRecords @@ -183,7 +183,7 @@ Resources: - iam:ListInstanceProfiles - iam:ListInstanceProfileTags Resource: - - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*" + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*" - Effect: Allow Action: - iam:AddRoleToInstanceProfile @@ -236,7 +236,7 @@ Resources: Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: @@ -246,7 +246,7 @@ Resources: - !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:addon/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: Ref: Regions - Effect: Allow Action: @@ -256,7 +256,15 @@ Resources: Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*" Condition: StringEquals: - aws:RequestedRegion: + aws:RequestedRegion: + Ref: Regions + - Effect: Allow + Action: + - eks:TagResource + Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:podidentityassociation/*" + Condition: + StringEquals: + aws:RequestedRegion: Ref: Regions # GithubActionsPermissionsBoundary includes all permissions needed for all designated roles provisioned by the GithubActions # CI task. This includes the cluster ServiceRoles that are generated by EKSCTL and all roles generated with IRSA to interface from the @@ -421,9 +429,9 @@ Resources: Statement: - Effect: Allow Action: ec2:SendSpotInstanceInterruptions - Resource: + Resource: - !Sub "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*" Condition: StringEquals: - aws:RequestedRegion: - Ref: Regions \ No newline at end of file + aws:RequestedRegion: + Ref: Regions