feat: Split AWS Policies (#98)

Split AWS policies closes #91 Provision Test: <img width="1579" alt="Screenshot 2024-11-19 at 4 38 06 PM" src="https://github.com/user-attachments/assets/52ae8209-919d-428e-8be2-d874696a8431">
streamnative · Nov 20, 2024 · 9c404c0 · 9c404c0
1 parent db248d5
commit 9c404c0
Show file tree

Hide file tree

Showing 4 changed files with 288 additions and 168 deletions.
diff --git a/modules/aws/vendor-access/files/provision1.json.tpl b/modules/aws/vendor-access/files/provision1.json.tpl
@@ -0,0 +1,59 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AcceptVpcPeering",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:AcceptVpcPeeringConnection"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "EndpointConnectionAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:*VpcEndpointConnections"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "RunInst",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:RunInstances"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "ArnLikeIfExists": {
+          "ec2:Vpc": ${vpc_ids}
+        }
+      }
+    },
+    {
+      "Sid": "ReqResrcTag",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:AssignPrivateIpAddresses",
+        "ec2:AttachInternetGateway",
+        "ec2:CreateNatGateway",
+        "ec2:CreateNetworkInterface",
+        "ec2:CreateRoute",
+        "ec2:CreateRouteTable",
+        "ec2:ReplaceRoute",
+        "ec2:ReplaceRouteTableAssociation",
+        "ec2:CreateSubnet",
+        "ec2:CreateVpcEndpoint",
+        "ec2:DescribeVpcPeeringConnections",
+        "ec2:CreateVpcPeeringConnection",
+        "ec2:DeleteVpcPeeringConnection"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "aws:ResourceTag/Vendor": "StreamNative"
+        }
+      }
+    }
+  ]
+}
diff --git a/.../files/bootstrap_role_iam_policy.json.tpl → ...s/vendor-access/files/provision2.json.tpl b/.../files/bootstrap_role_iam_policy.json.tpl → ...s/vendor-access/files/provision2.json.tpl
@@ -1,31 +1,10 @@
 {
   "Version": "2012-10-17",
   "Statement": [
-    {
-      "Sid": "UnResRW",
-      "Effect": "Allow",
-      "Action": [
-        "kms:CreateAlias",
-        "kms:DeleteAlias",
-        "kms:ScheduleKeyDeletion",
-        "logs:CreateLogGroup",
-        "logs:PutRetentionPolicy",
-        "route53:CreateHostedZone",
-        "route53:ChangeTagsForResource",
-        "support:*",
-        "servicequotas:List*",
-        "servicequotas:Get*",
-        "sts:DecodeAuthorizationMessage"
-      ],
-      "Resource": "*"
-    },
     {
       "Sid": "RO",
       "Effect": "Allow",
       "Action": [
-        "acm:ImportCertificate",
-        "acm:ListCertificates",
-        "acm:ListTagsForCertificate",
         "autoscaling:Describe*",
         "ec2:Describe*",
         "ec2:Get*",
@@ -37,18 +16,7 @@
         "iam:GetPolicy",
         "iam:GetPolicyVersion",
         "iam:GetRole",
-        "iam:List*",
-        "kms:DescribeKey",
-        "kms:GetKeyPolicy",
-        "kms:GetKeyRotationStatus",
-        "kms:ListAliases",
-        "kms:ListResourceTags",
-        "logs:Describe*",
-        "logs:List*",
-        "route53:Get*",
-        "route53:List*",
-        "s3:ListAllMyBuckets",
-        "s3:ListBucket"
+        "iam:List*"
       ],
       "Resource": "*"
     },
@@ -72,28 +40,6 @@
         }
       }
     },
-    {
-      "Sid": "RunInst",
-      "Effect": "Allow",
-      "Action": [
-        "ec2:RunInstances"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "ArnLikeIfExists": {
-          "ec2:Vpc": ${vpc_ids}
-        }
-      }
-    },
-    {
-      "Sid": "ResR53Z",
-      "Effect": "Allow",
-      "Action": [
-        "route53:ChangeResourceRecordSets",
-        "route53:DeleteHostedZone"
-      ],
-      "Resource": ${r53_zone_arns}
-    },
     {
       "Sid": "ResEKS",
       "Effect": "Allow",
@@ -167,20 +113,14 @@
       "Sid": "ReqReqTag",
       "Effect": "Allow",
       "Action": [
-        "acm:AddTagsToCertificate",
-        "acm:ImportCertificate",
-        "acm:RemoveTagsFromCertificate",
-        "acm:RequestCertificate",
         "autoscaling:Create*",
         "ec2:*TransitGateway*",
         "ec2:AllocateAddress",
         "ec2:Create*",
         "eks:Create*",
         "eks:RegisterCluster",
         "eks:TagResource",
-        "elasticloadbalancing:Add*",
-        "kms:CreateKey",
-        "kms:TagResource"
+        "elasticloadbalancing:Add*"
       ],
       "Resource": "*",
       "Condition": {
@@ -189,41 +129,37 @@
         }
       }
     },
+    {
+      "Sid": "ResPsRlEKS",
+      "Effect": "Allow",
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Resource": [
+        "arn:${partition}:iam::${account_id}:role/StreamNative/*",
+        "arn:${partition}:iam::${account_id}:role/${cluster_pattern}"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "iam:PassedToService": "eks.amazonaws.com"
+        }
+      }
+    },
     {
       "Sid": "ReqResrcTag",
       "Effect": "Allow",
       "Action": [
-        "acm:DeleteCertificate",
-        "acm:DescribeCertificate",
-        "acm:ExportCertificate",
-        "acm:GetCertificate",
-        "acm:ImportCertificate",
-        "acm:RemoveTagsFromCertificate",
-        "acm:ResendValidationEmail",
         "autoscaling:AttachInstances",
         "autoscaling:CreateOrUpdateTags",
         "autoscaling:Detach*",
         "autoscaling:Update*",
         "autoscaling:Resume*",
         "autoscaling:Suspend*",
         "autoscaling:SetDesired*",
-        "ec2:AssignPrivateIpAddresses",
-        "ec2:AttachInternetGateway",
         "ec2:AttachVolume",
         "ec2:CreateLaunchTemplateVersion",
-        "ec2:CreateNatGateway",
-        "ec2:CreateNetworkInterface",
-        "ec2:CreateRoute",
-        "ec2:CreateRouteTable",
-        "ec2:ReplaceRoute",
-        "ec2:ReplaceRouteTableAssociation",
         "ec2:CreateSecurityGroup",
-        "ec2:CreateSubnet",
         "ec2:CreateTags",
-        "ec2:CreateVpcEndpoint",
-        "ec2:DescribeVpcPeeringConnections",
-        "ec2:CreateVpcPeeringConnection",
-        "ec2:DeleteVpcPeeringConnection",
         "ec2:Detach*",
         "ec2:Release*",
         "ec2:Revoke*",
@@ -239,9 +175,7 @@
         "elasticloadbalancing:*Rule",
         "elasticloadbalancing:*TargetGroup",
         "elasticloadbalancing:Set*",
-        "elasticloadbalancing:Re*",
-        "logs:*",
-        "ssm:StartSession"
+        "elasticloadbalancing:Re*"
       ],
       "Resource": "*",
       "Condition": {
@@ -250,52 +184,6 @@
         }
       }
     },
-    {
-      "Sid": "AcceptVpcPeering",
-      "Effect": "Allow",
-      "Action": [
-        "ec2:AcceptVpcPeeringConnection"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "EndpointConnectionAccess",
-      "Effect": "Allow",
-      "Action": [
-        "ec2:*VpcEndpointConnections"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "SSMStop",
-      "Effect": "Allow",
-      "Action": [
-        "ssm:TerminateSession",
-        "ssm:ResumeSession"
-      ],
-      "Resource": ["arn:aws:ssm:*:*:session/$${aws:username}-*"]
-    },
-    {
-      "Sid": "ResS3",
-      "Effect": "Allow",
-      "Action":[
-        "s3:CreateBucket",
-        "s3:Delete*",
-        "s3:Get*",
-        "s3:List*",
-        "s3:PutBucket*",
-        "s3:PutObject*",
-        "s3:PutLifecycle*",
-        "s3:PutAccelerateConfiguration",
-        "s3:PutAccessPointPolicy",
-        "s3:PutAccountPublicAccessBlock",
-        "s3:PutAnalyticsConfiguration",
-        "s3:PutEncryptionConfiguration"
-       ],
-       "Resource": [
-          "arn:${partition}:s3:::${bucket_pattern}"
-       ]
-    },
     {
       "Sid": "IAMReqTag",
       "Effect": "Allow",
@@ -332,28 +220,6 @@
           "aws:ResourceTag/Vendor": "StreamNative"
         }
       }
-    },
-    {
-      "Sid": "SvcLnkRl",
-      "Effect": "Allow",
-      "Action": "iam:CreateServiceLinkedRole",
-      "Resource": "arn:${partition}:iam::${account_id}:role/aws-service-role/*"
-    },
-    {
-      "Sid": "ResPsRlEKS",
-      "Effect": "Allow",
-      "Action": [
-        "iam:PassRole"
-      ],
-      "Resource": [
-        "arn:${partition}:iam::${account_id}:role/StreamNative/*",
-        "arn:${partition}:iam::${account_id}:role/${cluster_pattern}"
-      ],
-      "Condition": {
-        "StringEquals": {
-          "iam:PassedToService": "eks.amazonaws.com"
-        }
-      }
     }
   ]
-}
+}