-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.go
124 lines (118 loc) · 5.53 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package taloscdk
import (
"github.com/aws/aws-cdk-go/awscdk/awsiam"
"github.com/aws/constructs-go/constructs/v3"
"github.com/aws/jsii-runtime-go"
)
// NewControlPlaneIAMRole returns a new awsiam.Role with minimum permissions
// to utilize the aws-controller-manager for creating ELBs from your cluster.
// Returns a role with an inline policy created via taloscdk.NewControlPlaneIAMPolicyDocument()
func NewControlPlaneIAMRole(scope constructs.Construct, id *string) awsiam.Role {
return awsiam.NewRole(scope, id, &awsiam.RoleProps{
InlinePolicies: &map[string]awsiam.PolicyDocument{
"ControlPlanePolicy": NewControlPlaneIAMPolicyDocument(scope, jsii.String("ControlPlanePolicy")),
},
AssumedBy: awsiam.NewServicePrincipal(jsii.String("ec2.amazonaws.com"), nil),
})
}
// NewWorkerIAMRole returns a new awsiam.Role with minimum permissions
// to utilize the aws-controller-manager for creating ELBs from your cluster.
// Returns a role with an inline policy created via taloscdk.NewWorkerIAMPolicyDocument()
func NewWorkerIAMRole(scope constructs.Construct, id *string) awsiam.Role {
return awsiam.NewRole(scope, id, &awsiam.RoleProps{
InlinePolicies: &map[string]awsiam.PolicyDocument{
"WorkerPolicy": NewWorkerIAMPolicyDocument(scope, jsii.String("WorkerPolicy")),
},
AssumedBy: awsiam.NewServicePrincipal(jsii.String("ec2.amazonaws.com"), nil),
})
}
func NewControlPlaneIAMPolicyDocument(scope constructs.Construct, id *string) awsiam.PolicyDocument {
return awsiam.NewPolicyDocument(&awsiam.PolicyDocumentProps{
Statements: &[]awsiam.PolicyStatement{
//awsiam.PolicyStatement_FromJson(controlPlanePolicy),
awsiam.NewPolicyStatement(&awsiam.PolicyStatementProps{
Effect: awsiam.Effect_ALLOW,
Actions: &[]*string{
jsii.String("autoscaling:DescribeAutoScalingGroups"),
jsii.String("autoscaling:DescribeLaunchConfigurations"),
jsii.String("autoscaling:DescribeTags"),
jsii.String("ec2:DescribeInstances"),
jsii.String("ec2:DescribeRegions"),
jsii.String("ec2:DescribeRouteTables"),
jsii.String("ec2:DescribeSecurityGroups"),
jsii.String("ec2:DescribeSubnets"),
jsii.String("ec2:DescribeVolumes"),
jsii.String("ec2:CreateSecurityGroup"),
jsii.String("ec2:CreateTags"),
jsii.String("ec2:CreateVolume"),
jsii.String("ec2:ModifyInstanceAttribute"),
jsii.String("ec2:ModifyVolume"),
jsii.String("ec2:AttachVolume"),
jsii.String("ec2:AuthorizeSecurityGroupIngress"),
jsii.String("ec2:CreateRoute"),
jsii.String("ec2:DeleteRoute"),
jsii.String("ec2:DeleteSecurityGroup"),
jsii.String("ec2:DeleteVolume"),
jsii.String("ec2:DetachVolume"),
jsii.String("ec2:RevokeSecurityGroupIngress"),
jsii.String("ec2:DescribeVpcs"),
jsii.String("elasticloadbalancing:AddTags"),
jsii.String("elasticloadbalancing:AttachLoadBalancerToSubnets"),
jsii.String("elasticloadbalancing:ApplySecurityGroupsToLoadBalancer"),
jsii.String("elasticloadbalancing:CreateLoadBalancer"),
jsii.String("elasticloadbalancing:CreateLoadBalancerPolicy"),
jsii.String("elasticloadbalancing:CreateLoadBalancerListeners"),
jsii.String("elasticloadbalancing:ConfigureHealthCheck"),
jsii.String("elasticloadbalancing:DeleteLoadBalancer"),
jsii.String("elasticloadbalancing:DeleteLoadBalancerListeners"),
jsii.String("elasticloadbalancing:DescribeLoadBalancers"),
jsii.String("elasticloadbalancing:DescribeLoadBalancerAttributes"),
jsii.String("elasticloadbalancing:DetachLoadBalancerFromSubnets"),
jsii.String("elasticloadbalancing:DeregisterInstancesFromLoadBalancer"),
jsii.String("elasticloadbalancing:ModifyLoadBalancerAttributes"),
jsii.String("elasticloadbalancing:RegisterInstancesWithLoadBalancer"),
jsii.String("elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"),
jsii.String("elasticloadbalancing:AddTags"),
jsii.String("elasticloadbalancing:CreateListener"),
jsii.String("elasticloadbalancing:CreateTargetGroup"),
jsii.String("elasticloadbalancing:DeleteListener"),
jsii.String("elasticloadbalancing:DeleteTargetGroup"),
jsii.String("elasticloadbalancing:DescribeListeners"),
jsii.String("elasticloadbalancing:DescribeLoadBalancerPolicies"),
jsii.String("elasticloadbalancing:DescribeTargetGroups"),
jsii.String("elasticloadbalancing:DescribeTargetHealth"),
jsii.String("elasticloadbalancing:ModifyListener"),
jsii.String("elasticloadbalancing:ModifyTargetGroup"),
jsii.String("elasticloadbalancing:RegisterTargets"),
jsii.String("elasticloadbalancing:DeregisterTargets"),
jsii.String("elasticloadbalancing:SetLoadBalancerPoliciesOfListener"),
jsii.String("iam:CreateServiceLinkedRole"),
jsii.String("kms:DescribeKey"),
},
Resources: jsii.Strings("*"),
}),
},
})
}
func NewWorkerIAMPolicyDocument(scope constructs.Construct, id *string) awsiam.PolicyDocument {
policy := awsiam.NewPolicyDocument(&awsiam.PolicyDocumentProps{
Statements: &[]awsiam.PolicyStatement{
awsiam.NewPolicyStatement(&awsiam.PolicyStatementProps{
Effect: awsiam.Effect_ALLOW,
Actions: &[]*string{
jsii.String("ec2:DescribeInstances"),
jsii.String("ec2:DescribeRegions"),
jsii.String("ecr:GetAuthorizationToken"),
jsii.String("ecr:BatchCheckLayerAvailability"),
jsii.String("ecr:GetDownloadUrlForLayer"),
jsii.String("ecr:GetRepositoryPolicy"),
jsii.String("ecr:DescribeRepositories"),
jsii.String("ecr:ListImages"),
jsii.String("ecr:BatchGetImage"),
},
Resources: jsii.Strings("*"),
}),
},
})
return policy
}