Updating runner and ml nodes to use scoped permission (#17)

terraform/modules/galileo-eks/main.tf

@@ -165,7 +165,7 @@ module "eks_galileo" {
         AmazonEKSWorkerNodePolicy          = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
         AmazonEC2ContainerRegistryReadOnly = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
         ClusterAutoscaler                  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/ClusterAutoscaler_${var.cluster_name}",
-        AmazonS3FullAccess                 = "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+        GalileoS3BucketAccess              = aws_iam_policy.galileo_s3_permission.arn,
         AmazonSSMManagedInstanceCore       = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
         CloudWatchAgentServerPolicy        = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
         AmazonEBSCSIDriverPolicy           = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
@@ -202,7 +202,7 @@ module "eks_galileo" {
           AmazonEKSWorkerNodePolicy          = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
           AmazonEC2ContainerRegistryReadOnly = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
           ClusterAutoscaler                  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/ClusterAutoscaler_${var.cluster_name}",
-          AmazonS3FullAccess                 = "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+          GalileoS3BucketAccess              = aws_iam_policy.galileo_s3_permission.arn,
           AmazonSSMManagedInstanceCore       = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
           CloudWatchAgentServerPolicy        = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
           AmazonEBSCSIDriverPolicy           = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",