in hybrid-nodes-cdk/lib/nodeadm/policies.ts [4:361]
export function createNodeadmTestsCreationCleanupPolicy(
stack: cdk.Stack,
testClusterTagKey: string,
testClusterPrefix: string,
binaryBucketArn: string,
podIdentityS3BucketPrefix: string,
) {
const requestTagCondition = {
StringLike: {
[`aws:RequestTag/${testClusterTagKey}`]: `${testClusterPrefix}-*`,
},
};
const resourceTagCondition = {
StringLike: {
[`aws:ResourceTag/${testClusterTagKey}`]: `${testClusterPrefix}-*`,
},
};
return new iam.Policy(stack, 'nodeadm-e2e-tests-runner-policy', {
statements: [
new iam.PolicyStatement({
actions: [
'iam:AttachRolePolicy',
'iam:DetachRolePolicy',
'iam:GetRole',
'iam:GetRolePolicy',
'iam:ListRoles',
'iam:ListRoleTags',
'iam:PassRole',
'iam:PutRolePolicy',
'iam:TagRole',
],
resources: [`arn:aws:iam::${stack.account}:role/*`],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: [
'iam:DeleteRolePolicy',
'iam:ListAttachedRolePolicies',
'iam:ListInstanceProfilesForRole',
'iam:ListRolePolicies',
],
resources: [`arn:aws:iam::${stack.account}:role/*`],
effect: iam.Effect.ALLOW,
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
actions: ['iam:CreateServiceLinkedRole'],
resources: [`arn:aws:iam::${stack.account}:role/aws-service-role/*`],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['iam:CreateRole'],
resources: [`arn:aws:iam::${stack.account}:role/*`],
effect: iam.Effect.ALLOW,
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
actions: ['iam:DeleteRole'],
resources: [`arn:aws:iam::${stack.account}:role/*`],
effect: iam.Effect.ALLOW,
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
actions: [
'iam:AddRoleToInstanceProfile',
'iam:CreateInstanceProfile',
'iam:DeleteInstanceProfile',
'iam:GetInstanceProfile',
'iam:ListInstanceProfiles',
'iam:RemoveRoleFromInstanceProfile',
],
resources: [`arn:aws:iam::${stack.account}:instance-profile/*`],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['iam:TagInstanceProfile'],
resources: [`arn:aws:iam::${stack.account}:instance-profile/*`],
effect: iam.Effect.ALLOW,
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
actions: [
'ec2:AcceptVpcPeeringConnection',
'ec2:AssociateRouteTable',
'ec2:AssociateTransitGatewayRouteTable',
'ec2:AttachInternetGateway',
'ec2:AuthorizeSecurityGroupIngress',
'ec2:CreateRoute',
'ec2:CreateRouteTable',
'ec2:CreateSubnet',
'ec2:CreateTransitGateway',
'ec2:CreateTransitGatewayRoute',
'ec2:CreateTransitGatewayRouteTable',
'ec2:CreateTransitGatewayVpcAttachment',
'ec2:CreateVpcPeeringConnection',
'ec2:DeleteKeyPair',
'ec2:DeleteNetworkInterface',
'ec2:DeleteRouteTable',
'ec2:DeleteSecurityGroup',
'ec2:DeleteTransitGateway',
'ec2:DeleteTransitGatewayRoute',
'ec2:DeleteTransitGatewayRouteTable',
'ec2:DeleteTransitGatewayVpcAttachment',
'ec2:DescribeAvailabilityZones',
'ec2:DescribeImages',
'ec2:DescribeInstances',
'ec2:DescribeInstanceStatus',
'ec2:DescribeInternetGateways',
'ec2:DescribeKeyPairs',
'ec2:DescribeNetworkInterfaces',
'ec2:DescribeRouteTables',
'ec2:DescribeSecurityGroups',
'ec2:DescribeSubnets',
'ec2:DescribeTransitGateways',
'ec2:DescribeTransitGatewayAttachments',
'ec2:DescribeTransitGatewayRouteTables',
'ec2:DescribeTransitGatewayVpcAttachments',
'ec2:DescribeVpcPeeringConnections',
'ec2:DescribeVpcs',
'ec2:DisassociateTransitGatewayRouteTable',
'ec2:GetTransitGatewayRouteTableAssociations',
'ec2:ModifyInstanceAttribute',
'ec2:ModifySubnetAttribute',
'ec2:ModifyVpcAttribute',
'ec2:RevokeSecurityGroupIngress',
'ec2:RunInstances',
'ec2:SearchTransitGatewayRoutes',
],
resources: ['*'],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['ec2:CreateInternetGateway', 'ec2:CreateKeyPair', 'ec2:CreateTags', 'ec2:CreateVpc'],
resources: ['*'],
effect: iam.Effect.ALLOW,
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
actions: [
'ec2:DeleteInternetGateway',
'ec2:DeleteRoute',
'ec2:DeleteSubnet',
'ec2:DeleteVpc',
'ec2:DeleteVpcPeeringConnection',
'ec2:DetachInternetGateway',
'ec2:DisassociateRouteTable',
'ec2:RebootInstances',
'ec2:StopInstances',
'ec2:TerminateInstances',
'ec2-instance-connect:SendSerialConsoleSSHPublicKey',
],
resources: ['*'],
effect: iam.Effect.ALLOW,
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
actions: ['ssm:SendCommand'],
resources: [
'arn:aws:ec2:*:*:instance/*',
'arn:aws:ssm:*:*:managed-instance/*',
'arn:aws:ssm:*::document/AWS-RunShellScript',
],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['ssm:GetCommandInvocation'],
resources: [`arn:aws:ssm:*:${stack.account}:*`],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: [
'ssm:DeleteParameter',
'ssm:DescribeActivations',
'ssm:DescribeInstanceInformation',
'ssm:DescribeInstanceInformation',
'ssm:DescribeParameters',
'ssm:GetParameters',
'ssm:ListTagsForResource',
'ssm:PutParameter',
],
resources: ['*'],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['ssm:CreateActivation', 'ssm:AddTagsToResource'],
resources: ['*'],
effect: iam.Effect.ALLOW,
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
actions: ['ssm:DeleteActivation'],
resources: ['*'],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['ssm:DeregisterManagedInstance'],
resources: [`arn:aws:ssm:${stack.region}:${stack.account}:managed-instance/*`],
effect: iam.Effect.ALLOW,
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
actions: ['ssm:GetParameter'],
resources: [
`arn:aws:ssm:${stack.region}:${stack.account}:parameter/*`,
`arn:aws:ssm:${stack.region}::parameter/*`,
],
effect: iam.Effect.ALLOW,
}),
new iam.PolicyStatement({
actions: ['secretsmanager:GetSecretValue'],
resources: [`arn:aws:secretsmanager:${stack.region}:${stack.account}:secret:*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:GetObject', 's3:ListBucket'],
resources: [binaryBucketArn, `${binaryBucketArn}/*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
's3:CreateBucket',
's3:DeleteBucket',
's3:PutBucketTagging',
's3:GetBucketTagging',
's3:ListBucket',
's3:PutObject*',
's3:DeleteObject',
],
resources: [`arn:aws:s3:::${podIdentityS3BucketPrefix}*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:ListAllMyBuckets'],
resources: ['*'],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['eks:CreateAccessEntry', 'eks:DescribeCluster', 'eks:ListClusters', 'eks:TagResource'],
resources: [
`arn:aws:eks:${stack.region}:${stack.account}:cluster/*`,
`arn:aws:eks:${stack.region}:${stack.account}:access-entry/*`,
],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['eks:CreateCluster'],
resources: [`arn:aws:eks:${stack.region}:${stack.account}:cluster/*`],
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['eks:DeleteCluster', 'eks:ListUpdates', 'eks:DescribeUpdate'],
resources: [`arn:aws:eks:${stack.region}:${stack.account}:cluster/*`],
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['eks:DeleteAccessEntry', 'eks:DescribeAccessEntry', 'eks:ListAssociatedAccessPolicies'],
resources: [`arn:aws:eks:${stack.region}:${stack.account}:access-entry/*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['eks:CreateAddon', 'eks:CreatePodIdentityAssociation'],
resources: [`arn:aws:eks:${stack.region}:${stack.account}:cluster/*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['eks:DeleteAddon', 'eks:DescribeAddon'],
resources: [`arn:aws:eks:${stack.region}:${stack.account}:addon/*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'cloudformation:DescribeStackEvents',
'cloudformation:DescribeStacks',
'cloudformation:DescribeStackResource',
'cloudformation:UpdateStack',
],
resources: [`arn:aws:cloudformation:${stack.region}:${stack.account}:stack/*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['cloudformation:CreateStack'],
resources: [`arn:aws:cloudformation:${stack.region}:${stack.account}:stack/*`],
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['cloudformation:DeleteStack'],
resources: [`arn:aws:cloudformation:${stack.region}:${stack.account}:stack/*`],
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['cloudformation:ListStacks', 'cloudformation:DescribeStacks'],
resources: ['*'],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['rolesanywhere:CreateTrustAnchor', 'rolesanywhere:CreateProfile'],
resources: ['*'],
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['rolesanywhere:TagResource'],
resources: [
`arn:aws:rolesanywhere:${stack.region}:${stack.account}:trust-anchor/*`,
`arn:aws:rolesanywhere:${stack.region}:${stack.account}:profile/*`,
],
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['rolesanywhere:ListTagsForResource'],
resources: [
`arn:aws:rolesanywhere:${stack.region}:${stack.account}:trust-anchor/*`,
`arn:aws:rolesanywhere:${stack.region}:${stack.account}:profile/*`,
],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['rolesanywhere:ListTrustAnchors', 'rolesanywhere:ListProfiles'],
resources: ['*'],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'rolesanywhere:DeleteProfile',
'rolesanywhere:DeleteTrustAnchor',
'rolesanywhere:GetTrustAnchor',
'rolesanywhere:GetProfile',
],
resources: [
`arn:aws:rolesanywhere:${stack.region}:${stack.account}:trust-anchor/*`,
`arn:aws:rolesanywhere:${stack.region}:${stack.account}:profile/*`,
],
conditions: resourceTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['logs:TagResource'],
resources: [`arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/eks/*`],
conditions: requestTagCondition,
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['logs:PutRetentionPolicy'],
resources: [`arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/eks/*`],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['logs:DescribeLogGroups'],
resources: ['*'],
}),
],
});
}