Skip to content

Commit

Permalink
EMP-2622, restrict all permissions under elasticfilesystem:* (#54)
Browse files Browse the repository at this point in the history 
* remove deprecated

* correct acc no

* efs done

* efs done, user cft
  • Loading branch information
@Rohitrajak1807
Rohitrajak1807 authored Sep 25, 2024
1 parent 542fb10 commit 30f3812
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 22 deletions.
42 changes: 31 additions & 11 deletions emp/emp_role_cftemplate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,23 +301,43 @@ Resources:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${EKSRole}'
Effect: Allow
- Action:
# these are api calls our controllers make, we should be able to restrict these once we have tagging.
# the tagging permissions are left as-is for that purpose
# read-only
- elasticfilesystem:DescribeTags
- elasticfilesystem:ListTagsForResource
Resource:
- '*'
Effect: Allow
- Action:
- elasticfilesystem:CreateFileSystem
Resource: '*'
Effect: Allow
Condition:
StringEquals:
aws:RequestTag/emp.pf9.io: owned
StringLike:
aws:RequestTag/emp.pf9.io/baremetalpool: '*'
aws:RequestTag/emp.pf9.io/namespace: '*'
- Action:
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:CreateMountTarget
- elasticfilesystem:CreateTags
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:DeleteMountTarget
- elasticfilesystem:DeleteTags
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:DescribeMountTargets
- elasticfilesystem:DescribeTags
- elasticfilesystem:ListTagsForResource
Resource: '*'
Effect: Allow
Condition:
StringEquals:
aws:ResourceTag/emp.pf9.io: owned
StringLike:
aws:ResourceTag/emp.pf9.io/namespace: '*'
aws:ResourceTag/emp.pf9.io/baremetalpool: '*'
- Action:
- elasticfilesystem:TagResource
- elasticfilesystem:UntagResource
Resource:
- '*'
Effect: Allow
Resource: '*'
Condition:
StringEquals:
elasticfilesystem:CreateAction: 'CreateFileSystem'
- Action:
# required by baremetalpool controller check ConfigureSGRules
- ec2:AuthorizeSecurityGroupEgress
Expand Down
42 changes: 31 additions & 11 deletions emp/emp_user_cftemplate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,23 +312,43 @@ Resources:
- '*'
Effect: Allow
- Action:
# these are api calls our controllers make, we should be able to restrict these once we have tagging.
# the tagging permissions are left as-is for that purpose
# read-only
- elasticfilesystem:DescribeTags
- elasticfilesystem:ListTagsForResource
Resource:
- '*'
Effect: Allow
- Action:
- elasticfilesystem:CreateFileSystem
Resource: '*'
Effect: Allow
Condition:
StringEquals:
aws:RequestTag/emp.pf9.io: owned
StringLike:
aws:RequestTag/emp.pf9.io/baremetalpool: '*'
aws:RequestTag/emp.pf9.io/namespace: '*'
- Action:
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:CreateMountTarget
- elasticfilesystem:CreateTags
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:DeleteMountTarget
- elasticfilesystem:DeleteTags
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:DescribeMountTargets
- elasticfilesystem:DescribeTags
- elasticfilesystem:ListTagsForResource
Resource: '*'
Effect: Allow
Condition:
StringEquals:
aws:ResourceTag/emp.pf9.io: owned
StringLike:
aws:ResourceTag/emp.pf9.io/namespace: '*'
aws:ResourceTag/emp.pf9.io/baremetalpool: '*'
- Action:
- elasticfilesystem:TagResource
- elasticfilesystem:UntagResource
Resource:
- '*'
Effect: Allow
Resource: '*'
Condition:
StringEquals:
elasticfilesystem:CreateAction: 'CreateFileSystem'
- Action:
# required by baremetalpool controller check ConfigureSGRules
- ec2:AuthorizeSecurityGroupEgress
Expand Down

0 comments on commit 30f3812

Please sign in to comment.