From ec6507f6d9dd60aaf7c16b3272f97cd713fc701d Mon Sep 17 00:00:00 2001 From: meravbe Date: Tue, 7 May 2024 09:46:52 +0300 Subject: [PATCH 1/2] CME IAM role | add ec2:DescribeRegions permission --- aws/templates/general/cme-iam-role.yaml | 1 + terraform/aws/cme-iam-role-gwlb/main.tf | 1 + terraform/aws/cme-iam-role/main.tf | 1 + 3 files changed, 3 insertions(+) diff --git a/aws/templates/general/cme-iam-role.yaml b/aws/templates/general/cme-iam-role.yaml index d87c1e16..89ed6412 100755 --- a/aws/templates/general/cme-iam-role.yaml +++ b/aws/templates/general/cme-iam-role.yaml @@ -82,6 +82,7 @@ Resources: - Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups + - ec2:DescribeRegions - ec2:DescribeCustomerGateways - ec2:DescribeInstances - ec2:DescribeNetworkInterfaces diff --git a/terraform/aws/cme-iam-role-gwlb/main.tf b/terraform/aws/cme-iam-role-gwlb/main.tf index c9d19587..33ea37ab 100644 --- a/terraform/aws/cme-iam-role-gwlb/main.tf +++ b/terraform/aws/cme-iam-role-gwlb/main.tf @@ -52,6 +52,7 @@ data "aws_iam_policy_document" "cme_role_read_policy_doc" { effect = "Allow" actions = [ "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeRegions", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", diff --git a/terraform/aws/cme-iam-role/main.tf b/terraform/aws/cme-iam-role/main.tf index 951e3b5c..817e3b90 100755 --- a/terraform/aws/cme-iam-role/main.tf +++ b/terraform/aws/cme-iam-role/main.tf @@ -52,6 +52,7 @@ data "aws_iam_policy_document" "cme_role_read_policy_doc" { effect = "Allow" actions = [ "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeRegions", "ec2:DescribeCustomerGateways", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", From ba259c108b915e54804ad30774df40a2c44cffec Mon Sep 17 00:00:00 2001 From: meravbe Date: Thu, 9 May 2024 12:43:18 +0300 Subject: [PATCH 2/2] CME IAM role - add permission --- aws/templates/general/cme-iam-role.yaml | 2 +- terraform/aws/cme-iam-role-gwlb/README.md | 9 +++++---- terraform/aws/cme-iam-role/README.md | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/aws/templates/general/cme-iam-role.yaml b/aws/templates/general/cme-iam-role.yaml index 89ed6412..45680af7 100755 --- a/aws/templates/general/cme-iam-role.yaml +++ b/aws/templates/general/cme-iam-role.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Creates an IAM role for selected permissions (20230926) +Description: Creates an IAM role for selected permissions (20240507) Metadata: AWS::CloudFormation::Interface: ParameterGroups: diff --git a/terraform/aws/cme-iam-role-gwlb/README.md b/terraform/aws/cme-iam-role-gwlb/README.md index 3942b34f..2d6e639b 100644 --- a/terraform/aws/cme-iam-role-gwlb/README.md +++ b/terraform/aws/cme-iam-role-gwlb/README.md @@ -89,10 +89,11 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -|------------------|--------------------------------------------------------------------| -| 20230926 | CME instance profile for IAM Role | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| Template Version | Description | +|------------------|-------------------------------------------------------------------| +| 20230926 | CME instance profile for IAM Role | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | ## License diff --git a/terraform/aws/cme-iam-role/README.md b/terraform/aws/cme-iam-role/README.md index 2c1b3493..203326cb 100755 --- a/terraform/aws/cme-iam-role/README.md +++ b/terraform/aws/cme-iam-role/README.md @@ -94,7 +94,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | 20210309 | First release of Check Point CME IAM Role Terraform module for AWS | | 20230514 | CME instance profile for IAM Role | | 20231012 | Update AWS Terraform provider version to 5.20.1 | - +| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | ## License