Skip to content

Commit

Permalink
feat(iam): update IAM policy ARNs to use dynamic AWS partition (#24)
Browse files Browse the repository at this point in the history
feat(iam): replace static AWS partition with variable for resource ARNs

feat(docs): add aws_partition input variable to README

Co-authored-by: Aleksandr Cupacenko <[email protected]>
  • Loading branch information
unitmatrix and Aleksandr Cupacenko authored Dec 13, 2024
1 parent 21f7af9 commit 32f77ea
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 13 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ No modules.
| <a name="input_argo_project"></a> [argo\_project](#input\_argo\_project) | ArgoCD Application project | `string` | `"default"` | no |
| <a name="input_argo_spec"></a> [argo\_spec](#input\_argo\_spec) | ArgoCD Application spec configuration. Override or create additional spec parameters | `any` | `{}` | no |
| <a name="input_argo_sync_policy"></a> [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter | `any` | `{}` | no |
| <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | AWS partition in which the resources are located. Available values are `aws`, `aws-cn`, `aws-us-gov` | `string` | `"aws"` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no |
| <a name="input_helm_atomic"></a> [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no |
| <a name="input_helm_chart_name"></a> [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"aws-load-balancer-controller"` | no |
Expand Down
26 changes: 13 additions & 13 deletions iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ data "aws_iam_policy_document" "this" {
actions = [
"ec2:CreateTags"
]
resources = ["arn:aws:ec2:*:*:security-group/*"]
resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"]
condition {
test = "StringEquals"
variable = "ec2:CreateAction"
Expand All @@ -120,7 +120,7 @@ data "aws_iam_policy_document" "this" {
"ec2:CreateTags",
"ec2:DeleteTags"
]
resources = ["arn:aws:ec2:*:*:security-group/*"]
resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"]
condition {
test = "Null"
variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
Expand Down Expand Up @@ -180,9 +180,9 @@ data "aws_iam_policy_document" "this" {
"elasticloadbalancing:RemoveTags"
]
resources = [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
"arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
condition {
test = "Null"
Expand All @@ -203,10 +203,10 @@ data "aws_iam_policy_document" "this" {
"elasticloadbalancing:RemoveTags"
]
resources = [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
"arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
}

Expand All @@ -216,9 +216,9 @@ data "aws_iam_policy_document" "this" {
"elasticloadbalancing:AddTags"
]
resources = [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
"arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
condition {
test = "StringEquals"
Expand Down Expand Up @@ -263,7 +263,7 @@ data "aws_iam_policy_document" "this" {
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
]
resources = ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"]
resources = ["arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"]
}

statement {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -378,3 +378,9 @@ variable "helm_lint" {
default = false
description = "Run the helm chart linter during the plan"
}

variable "aws_partition" {
type = string
default = "aws"
description = "AWS partition in which the resources are located. Available values are `aws`, `aws-cn`, `aws-us-gov`"
}

0 comments on commit 32f77ea

Please sign in to comment.