From 4dd738e2d725312c4b9a4f88ed9d1182141c8b52 Mon Sep 17 00:00:00 2001
From: Rohitrajak1807 <rrajak@platform9.com>
Date: Thu, 26 Sep 2024 15:54:39 +0530
Subject: [PATCH 1/3] change tagging conditions

---
 emp/emp_role_cftemplate.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/emp/emp_role_cftemplate.yaml b/emp/emp_role_cftemplate.yaml
index b29a2f4..c981d31 100644
--- a/emp/emp_role_cftemplate.yaml
+++ b/emp/emp_role_cftemplate.yaml
@@ -325,8 +325,8 @@ Resources:
               StringEquals:
                 aws:RequestTag/emp.pf9.io: owned
               StringLike:
-                aws:RequestTag/emp.pf9.io/baremetalpool: '*'
-                aws:RequestTag/emp.pf9.io/namespace: '*'
+                aws:RequestTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
+                aws:RequestTag/emp.pf9.io/ns/org-*: owned
           - Action:
               - elasticfilesystem:DescribeFileSystems
               - elasticfilesystem:CreateMountTarget
@@ -339,8 +339,8 @@ Resources:
               StringEquals:
                 aws:ResourceTag/emp.pf9.io: owned
               StringLike:
-                aws:ResourceTag/emp.pf9.io/namespace: '*'
-                aws:ResourceTag/emp.pf9.io/baremetalpool: '*'
+                aws:ResourceTag/emp.pf9.io/ns/org-*: owned
+                aws:ResourceTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
           - Action:
               - elasticfilesystem:TagResource
             Effect: Allow

From e22ecc24cda91742cec69fff4265eae8ff10d561 Mon Sep 17 00:00:00 2001
From: Rohitrajak1807 <rrajak@platform9.com>
Date: Thu, 26 Sep 2024 15:58:14 +0530
Subject: [PATCH 2/3] change tagging conditions user cft

---
 emp/emp_user_cftemplate.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/emp/emp_user_cftemplate.yaml b/emp/emp_user_cftemplate.yaml
index 8700f60..5e421a1 100644
--- a/emp/emp_user_cftemplate.yaml
+++ b/emp/emp_user_cftemplate.yaml
@@ -335,8 +335,8 @@ Resources:
               StringEquals:
                 aws:RequestTag/emp.pf9.io: owned
               StringLike:
-                aws:RequestTag/emp.pf9.io/baremetalpool: '*'
-                aws:RequestTag/emp.pf9.io/namespace: '*'
+                aws:RequestTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
+                aws:RequestTag/emp.pf9.io/ns/org-*: owned
           - Action:
               - elasticfilesystem:DescribeFileSystems
               - elasticfilesystem:CreateMountTarget
@@ -349,8 +349,8 @@ Resources:
               StringEquals:
                 aws:ResourceTag/emp.pf9.io: owned
               StringLike:
-                aws:ResourceTag/emp.pf9.io/namespace: '*'
-                aws:ResourceTag/emp.pf9.io/baremetalpool: '*'
+                aws:ResourceTag/emp.pf9.io/ns/org-*: owned
+                aws:ResourceTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
           - Action:
               - elasticfilesystem:TagResource
             Effect: Allow

From 2fa6db51ad9272f2169d875efad4b727b9745727 Mon Sep 17 00:00:00 2001
From: Rohitrajak1807 <rrajak@platform9.com>
Date: Thu, 3 Oct 2024 15:54:59 +0530
Subject: [PATCH 3/3] restrict only on 1 tag

---
 emp/emp_role_cftemplate.yaml | 7 +------
 emp/emp_user_cftemplate.yaml | 6 ------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/emp/emp_role_cftemplate.yaml b/emp/emp_role_cftemplate.yaml
index c981d31..6a49dad 100644
--- a/emp/emp_role_cftemplate.yaml
+++ b/emp/emp_role_cftemplate.yaml
@@ -42,6 +42,7 @@ Resources:
               - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
           - Action:
               # they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              # these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this.
               - ssm:UpdateInstanceInformation
               - ssmmessages:CreateControlChannel
               - ssmmessages:CreateDataChannel
@@ -324,9 +325,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:RequestTag/emp.pf9.io: owned
-              StringLike:
-                aws:RequestTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
-                aws:RequestTag/emp.pf9.io/ns/org-*: owned
           - Action:
               - elasticfilesystem:DescribeFileSystems
               - elasticfilesystem:CreateMountTarget
@@ -338,9 +336,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:ResourceTag/emp.pf9.io: owned
-              StringLike:
-                aws:ResourceTag/emp.pf9.io/ns/org-*: owned
-                aws:ResourceTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
           - Action:
               - elasticfilesystem:TagResource
             Effect: Allow
diff --git a/emp/emp_user_cftemplate.yaml b/emp/emp_user_cftemplate.yaml
index 5e421a1..70fe861 100644
--- a/emp/emp_user_cftemplate.yaml
+++ b/emp/emp_user_cftemplate.yaml
@@ -334,9 +334,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:RequestTag/emp.pf9.io: owned
-              StringLike:
-                aws:RequestTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
-                aws:RequestTag/emp.pf9.io/ns/org-*: owned
           - Action:
               - elasticfilesystem:DescribeFileSystems
               - elasticfilesystem:CreateMountTarget
@@ -348,9 +345,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:ResourceTag/emp.pf9.io: owned
-              StringLike:
-                aws:ResourceTag/emp.pf9.io/ns/org-*: owned
-                aws:ResourceTag/emp.pf9.io/ns/org-*/bmtpool/*: owned
           - Action:
               - elasticfilesystem:TagResource
             Effect: Allow