Skip to content

Commit e1565ff

Browse files
Gezi-lzqGezi-lzq
authored
refactor: simplify IAM policy by removing redundant statements and consolidating actions (#93)
* fix: update S3 resource ARNs in IAM policy to use local bucket names * feat: add permission to create service-linked role for autoscaling in IAM policy
1 parent b55a82b commit e1565ff

File tree

1 file changed

+102
-101
lines changed
  • cloudservice-setup/aws/ec2-custom

1 file changed

+102
-101
lines changed

cloudservice-setup/aws/ec2-custom/iam.tf

Lines changed: 102 additions & 101 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,8 @@ resource "aws_iam_policy" "automq_console_policy" {
2121
Version = "2012-10-17"
2222
Statement = [
2323
{
24-
Sid = "EC2InstanceProfileManagement"
25-
Effect = "Allow"
26-
Action = [
27-
"iam:PassRole"
28-
]
24+
Effect = "Allow"
25+
Action = "iam:PassRole"
2926
Resource = "*"
3027
Condition = {
3128
StringLike = {
@@ -34,136 +31,141 @@ resource "aws_iam_policy" "automq_console_policy" {
3431
}
3532
},
3633
{
37-
Effect = "Allow"
38-
Action = ["ec2:DescribeVolumes", "ec2:DescribeSecurityGroups"]
34+
Effect = "Allow"
35+
Action = [
36+
"autoscaling:AttachInstances",
37+
"autoscaling:DeleteAutoScalingGroup",
38+
"autoscaling:DetachInstances",
39+
"autoscaling:ResumeProcesses",
40+
"autoscaling:SuspendProcesses",
41+
"autoscaling:UpdateAutoScalingGroup",
42+
"ec2:AttachVolume",
43+
"ec2:AuthorizeSecurityGroupEgress",
44+
"ec2:AuthorizeSecurityGroupIngress",
45+
"ec2:DeleteKeyPair",
46+
"ec2:DeleteSecurityGroup",
47+
"ec2:DeleteVolume",
48+
"ec2:DetachVolume",
49+
"ec2:RebootInstances",
50+
"ec2:StopInstances",
51+
"ec2:TerminateInstances",
52+
"fsx:DeleteFileSystem",
53+
"fsx:DeleteStorageVirtualMachine",
54+
"fsx:DeleteVolume",
55+
"fsx:UpdateFileSystem",
56+
"fsx:UpdateVolume"
57+
]
3958
Resource = "*"
59+
Condition = {
60+
StringEquals = {
61+
"aws:ResourceTag/automqVendor" = "automq"
62+
}
63+
}
4064
},
4165
{
4266
Effect = "Allow"
4367
Action = [
44-
"cloudwatch:PutMetricData",
45-
"ec2:DescribeSubnets",
46-
"ec2:DescribeVpcs",
47-
"ec2:DescribeTags",
48-
"ec2:DescribeAvailabilityZones",
49-
"route53:CreateHostedZone",
50-
"route53:GetHostedZone",
51-
"route53:ChangeResourceRecordSets",
52-
"route53:ListHostedZonesByName",
53-
"route53:ListResourceRecordSets",
54-
"route53:DeleteHostedZone"
68+
"s3:DeleteObject",
69+
"s3:GetObject",
70+
"s3:PutObject"
71+
]
72+
Resource = [
73+
"arn:aws:s3:::${local.data_bucket_name}",
74+
"arn:aws:s3:::${local.ops_bucket_name}"
5575
]
56-
Resource = "*"
5776
},
5877
{
59-
Effect = "Allow"
60-
Action = ["eks:DescribeCluster", "eks:ListNodegroups", "eks:DescribeNodegroup"]
78+
Effect = "Allow"
79+
Action = [
80+
"iam:CreateServiceLinkedRole"
81+
]
6182
Resource = "*"
83+
Condition = {
84+
StringEquals = {
85+
"iam:AWSServiceName" = "autoscaling.amazonaws.com"
86+
}
87+
}
6288
},
6389
{
64-
Sid = "ConsoleEC2Management"
6590
Effect = "Allow"
6691
Action = [
67-
"ec2:DescribeRouteTables",
68-
"ssm:GetParameters",
69-
"pricing:GetProducts",
70-
"cloudwatch:PutMetricData",
71-
"ec2:DescribeImages",
92+
"autoscaling:CreateAutoScalingGroup",
93+
"autoscaling:DescribeAutoScalingGroups",
94+
"ec2:CreateKeyPair",
7295
"ec2:CreateLaunchTemplate",
7396
"ec2:CreateLaunchTemplateVersion",
74-
"ec2:ModifyLaunchTemplate",
75-
"ec2:RebootInstances",
76-
"ec2:RunInstances",
77-
"ec2:StopInstances",
78-
"ec2:TerminateInstances",
79-
"ec2:CreateKeyPair",
97+
"ec2:CreateSecurityGroup",
8098
"ec2:CreateTags",
81-
"ec2:AttachVolume",
82-
"ec2:DetachVolume",
83-
"ec2:DescribeInstances",
84-
"ec2:DescribeLaunchTemplates",
85-
"ec2:DescribeLaunchTemplateVersions",
86-
"ec2:DescribeVolumes",
87-
"ec2:DescribeSubnets",
88-
"ec2:DescribeKeyPairs",
89-
"ec2:DescribeVpcs",
90-
"ec2:DescribeTags",
91-
"ec2:DeleteKeyPair",
9299
"ec2:CreateVolume",
93-
"ec2:DeleteVolume",
94100
"ec2:DeleteLaunchTemplate",
101+
"ec2:DescribeAvailabilityZones",
102+
"ec2:DescribeImages",
103+
"ec2:DescribeInstanceAttribute",
95104
"ec2:DescribeInstanceTypeOfferings",
105+
"ec2:DescribeInstances",
106+
"ec2:DescribeKeyPairs",
107+
"ec2:DescribeLaunchTemplateVersions",
108+
"ec2:DescribeLaunchTemplates",
109+
"ec2:DescribeRouteTables",
110+
"ec2:DescribeSecurityGroupRules",
96111
"ec2:DescribeSecurityGroups",
97-
"ec2:CreateSecurityGroup",
98-
"ec2:AuthorizeSecurityGroupIngress",
99-
"ec2:AuthorizeSecurityGroupEgress",
100-
"ec2:DeleteSecurityGroup",
112+
"ec2:DescribeSubnets",
113+
"ec2:DescribeTags",
114+
"ec2:DescribeVolumes",
101115
"ec2:DescribeVpcEndpoints",
102-
"ec2:DescribeAvailabilityZones",
103-
"autoscaling:CreateAutoScalingGroup",
104-
"autoscaling:DescribeAutoScalingGroups",
105-
"autoscaling:UpdateAutoScalingGroup",
106-
"autoscaling:DeleteAutoScalingGroup",
107-
"autoscaling:AttachInstances",
108-
"autoscaling:DetachInstances",
109-
"autoscaling:ResumeProcesses",
110-
"autoscaling:SuspendProcesses",
111-
"route53:CreateHostedZone",
112-
"route53:GetHostedZone",
116+
"ec2:DescribeVpcs",
117+
"ec2:ModifyLaunchTemplate",
118+
"ec2:RunInstances",
119+
"eks:DescribeCluster",
120+
"eks:DescribeNodegroup",
121+
"eks:ListClusters",
122+
"eks:ListNodegroups",
123+
"elasticloadbalancing:DescribeTargetGroups",
124+
"fsx:CreateFileSystem",
125+
"fsx:CreateStorageVirtualMachine",
126+
"fsx:CreateVolume",
127+
"fsx:DescribeFileSystems",
128+
"fsx:DescribeStorageVirtualMachines",
129+
"fsx:DescribeVolumes",
130+
"fsx:TagResource",
131+
"iam:GetPolicy",
132+
"iam:GetPolicyVersion",
133+
"iam:GetRole",
134+
"iam:GetUser",
135+
"iam:ListAttachedRolePolicies",
136+
"iam:ListAttachedUserPolicies",
137+
"pricing:DescribeServices",
138+
"pricing:GetAttributeValues",
139+
"pricing:GetProducts",
113140
"route53:ChangeResourceRecordSets",
141+
"route53:GetHostedZone",
142+
"route53:ListHostedZones",
114143
"route53:ListHostedZonesByName",
144+
"route53:ListHostedZonesByVpc",
115145
"route53:ListResourceRecordSets",
116-
"route53:DeleteHostedZone",
117-
"elasticloadbalancing:DescribeTargetGroups",
118-
"elasticloadbalancing:DescribeTags",
119-
"elasticloadbalancing:DeleteTargetGroup",
120-
"elasticloadbalancing:DeleteLoadBalancer"
146+
"s3:AbortMultipartUpload",
147+
"s3:CreateBucket",
148+
"s3:DeleteObject",
149+
"s3:ListAllMyBuckets",
150+
"s3:ListBucket",
151+
"s3:ListBucketMultipartUploads",
152+
"ssm:GetParameters"
121153
]
122154
Resource = "*"
123155
},
124156
{
125157
Effect = "Allow"
126158
Action = [
159+
"s3:GetBucketPolicy",
127160
"s3:GetLifecycleConfiguration",
128-
"s3:PutLifecycleConfiguration",
129-
"s3:ListBucket"
161+
"s3:ListBucket",
162+
"s3:PutBucketPolicy",
163+
"s3:PutBucketTagging",
164+
"s3:PutLifecycleConfiguration"
130165
]
131166
Resource = [
132-
"arn:aws:s3:::${local.data_bucket_name}",
133167
"arn:aws:s3:::${local.ops_bucket_name}"
134168
]
135-
},
136-
{
137-
Effect = "Allow"
138-
Action = [
139-
"s3:PutObject",
140-
"s3:GetObject",
141-
"s3:AbortMultipartUpload",
142-
"s3:PutObjectTagging",
143-
"s3:DeleteObject"
144-
]
145-
Resource = [
146-
"arn:aws:s3:::${local.data_bucket_name}/*",
147-
"arn:aws:s3:::${local.ops_bucket_name}/*"
148-
]
149-
},
150-
{
151-
Effect = "Allow"
152-
Action = [
153-
"fsx:CreateFileSystem",
154-
"fsx:DeleteFileSystem",
155-
"fsx:CreateStorageVirtualMachine",
156-
"fsx:TagResource",
157-
"fsx:DescribeStorageVirtualMachines",
158-
"fsx:UpdateVolume",
159-
"fsx:DescribeFileSystems",
160-
"fsx:DeleteStorageVirtualMachine",
161-
"fsx:UpdateFileSystem",
162-
"fsx:CreateVolume",
163-
"fsx:DescribeVolumes",
164-
"fsx:DeleteVolume"
165-
]
166-
Resource = "*"
167169
}
168170
]
169171
})
@@ -178,4 +180,3 @@ resource "aws_iam_instance_profile" "automq_byoc_instance_profile" {
178180
name = "automq-byoc-instance-profile-${local.name_suffix}"
179181
role = aws_iam_role.automq_byoc_role.name
180182
}
181-

0 commit comments

Comments
 (0)