Skip to content

Commit f90e596

Browse files
matejhasulmatejhasul
committed
feat(iam): add default irsa policy
1 parent deb641c commit f90e596

File tree

2 files changed

+258
-2
lines changed

2 files changed

+258
-2
lines changed

default_irsa_policy.json

Lines changed: 250 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,250 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"ec2:GetSecurityGroupsForVpc",
33+
"ec2:DescribeIpamPools",
34+
"elasticloadbalancing:DescribeLoadBalancers",
35+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
36+
"elasticloadbalancing:DescribeListeners",
37+
"elasticloadbalancing:DescribeListenerCertificates",
38+
"elasticloadbalancing:DescribeSSLPolicies",
39+
"elasticloadbalancing:DescribeRules",
40+
"elasticloadbalancing:DescribeTargetGroups",
41+
"elasticloadbalancing:DescribeTargetGroupAttributes",
42+
"elasticloadbalancing:DescribeTargetHealth",
43+
"elasticloadbalancing:DescribeTags",
44+
"elasticloadbalancing:DescribeTrustStores",
45+
"elasticloadbalancing:DescribeListenerAttributes",
46+
"elasticloadbalancing:DescribeCapacityReservation"
47+
],
48+
"Resource": "*"
49+
},
50+
{
51+
"Effect": "Allow",
52+
"Action": [
53+
"cognito-idp:DescribeUserPoolClient",
54+
"acm:ListCertificates",
55+
"acm:DescribeCertificate",
56+
"iam:ListServerCertificates",
57+
"iam:GetServerCertificate",
58+
"waf-regional:GetWebACL",
59+
"waf-regional:GetWebACLForResource",
60+
"waf-regional:AssociateWebACL",
61+
"waf-regional:DisassociateWebACL",
62+
"wafv2:GetWebACL",
63+
"wafv2:GetWebACLForResource",
64+
"wafv2:AssociateWebACL",
65+
"wafv2:DisassociateWebACL",
66+
"shield:GetSubscriptionState",
67+
"shield:DescribeProtection",
68+
"shield:CreateProtection",
69+
"shield:DeleteProtection"
70+
],
71+
"Resource": "*"
72+
},
73+
{
74+
"Effect": "Allow",
75+
"Action": [
76+
"ec2:AuthorizeSecurityGroupIngress",
77+
"ec2:RevokeSecurityGroupIngress"
78+
],
79+
"Resource": "*"
80+
},
81+
{
82+
"Effect": "Allow",
83+
"Action": [
84+
"ec2:CreateSecurityGroup"
85+
],
86+
"Resource": "*"
87+
},
88+
{
89+
"Effect": "Allow",
90+
"Action": [
91+
"ec2:CreateTags"
92+
],
93+
"Resource": "arn:aws:ec2:*:*:security-group/*",
94+
"Condition": {
95+
"StringEquals": {
96+
"ec2:CreateAction": "CreateSecurityGroup"
97+
},
98+
"Null": {
99+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
100+
}
101+
}
102+
},
103+
{
104+
"Effect": "Allow",
105+
"Action": [
106+
"ec2:CreateTags",
107+
"ec2:DeleteTags"
108+
],
109+
"Resource": "arn:aws:ec2:*:*:security-group/*",
110+
"Condition": {
111+
"Null": {
112+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
113+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
114+
}
115+
}
116+
},
117+
{
118+
"Effect": "Allow",
119+
"Action": [
120+
"ec2:AuthorizeSecurityGroupIngress",
121+
"ec2:RevokeSecurityGroupIngress",
122+
"ec2:DeleteSecurityGroup"
123+
],
124+
"Resource": "*",
125+
"Condition": {
126+
"Null": {
127+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
128+
}
129+
}
130+
},
131+
{
132+
"Effect": "Allow",
133+
"Action": [
134+
"elasticloadbalancing:CreateLoadBalancer",
135+
"elasticloadbalancing:CreateTargetGroup"
136+
],
137+
"Resource": "*",
138+
"Condition": {
139+
"Null": {
140+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
141+
}
142+
}
143+
},
144+
{
145+
"Effect": "Allow",
146+
"Action": [
147+
"elasticloadbalancing:CreateListener",
148+
"elasticloadbalancing:DeleteListener",
149+
"elasticloadbalancing:CreateRule",
150+
"elasticloadbalancing:DeleteRule"
151+
],
152+
"Resource": "*"
153+
},
154+
{
155+
"Effect": "Allow",
156+
"Action": [
157+
"elasticloadbalancing:AddTags",
158+
"elasticloadbalancing:RemoveTags"
159+
],
160+
"Resource": [
161+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
162+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
163+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
164+
],
165+
"Condition": {
166+
"Null": {
167+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
168+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
169+
}
170+
}
171+
},
172+
{
173+
"Effect": "Allow",
174+
"Action": [
175+
"elasticloadbalancing:AddTags",
176+
"elasticloadbalancing:RemoveTags"
177+
],
178+
"Resource": [
179+
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
180+
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
181+
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
182+
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
183+
]
184+
},
185+
{
186+
"Effect": "Allow",
187+
"Action": [
188+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
189+
"elasticloadbalancing:SetIpAddressType",
190+
"elasticloadbalancing:SetSecurityGroups",
191+
"elasticloadbalancing:SetSubnets",
192+
"elasticloadbalancing:DeleteLoadBalancer",
193+
"elasticloadbalancing:ModifyTargetGroup",
194+
"elasticloadbalancing:ModifyTargetGroupAttributes",
195+
"elasticloadbalancing:DeleteTargetGroup",
196+
"elasticloadbalancing:ModifyListenerAttributes",
197+
"elasticloadbalancing:ModifyCapacityReservation",
198+
"elasticloadbalancing:ModifyIpPools"
199+
],
200+
"Resource": "*",
201+
"Condition": {
202+
"Null": {
203+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
204+
}
205+
}
206+
},
207+
{
208+
"Effect": "Allow",
209+
"Action": [
210+
"elasticloadbalancing:AddTags"
211+
],
212+
"Resource": [
213+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
214+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
215+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
216+
],
217+
"Condition": {
218+
"StringEquals": {
219+
"elasticloadbalancing:CreateAction": [
220+
"CreateTargetGroup",
221+
"CreateLoadBalancer"
222+
]
223+
},
224+
"Null": {
225+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
226+
}
227+
}
228+
},
229+
{
230+
"Effect": "Allow",
231+
"Action": [
232+
"elasticloadbalancing:RegisterTargets",
233+
"elasticloadbalancing:DeregisterTargets"
234+
],
235+
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
236+
},
237+
{
238+
"Effect": "Allow",
239+
"Action": [
240+
"elasticloadbalancing:SetWebAcl",
241+
"elasticloadbalancing:ModifyListener",
242+
"elasticloadbalancing:AddListenerCertificates",
243+
"elasticloadbalancing:RemoveListenerCertificates",
244+
"elasticloadbalancing:ModifyRule",
245+
"elasticloadbalancing:SetRulePriorities"
246+
],
247+
"Resource": "*"
248+
}
249+
]
250+
}

main.tf

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,15 @@ locals {
1212
name = "load-balancer-controller"
1313

1414
helm_chart_name = "aws-load-balancer-controller"
15-
helm_chart_version = "1.11.0"
15+
helm_chart_version = "1.12.0"
1616
helm_repo_url = "https://aws.github.io/eks-charts"
1717
}
1818

1919
addon_irsa = {
20-
(local.addon.name) = {}
20+
(local.addon.name) = {
21+
irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : true
22+
irsa_policy = var.irsa_policy != null ? var.irsa_policy : file("${path.module}/default_irsa_policy.json")
23+
}
2124
}
2225

2326
addon_values = yamlencode({
@@ -28,5 +31,8 @@ locals {
2831
"eks.amazonaws.com/role-arn" = module.addon-irsa[local.addon.name].iam_role_attributes.arn
2932
} : tomap({})
3033
}
34+
podMutatorWebhookConfig = {
35+
failurePolicy = "Fail"
36+
}
3137
})
3238
}

0 commit comments

Comments
 (0)