|
5 | 5 | data "aws_iam_policy_document" "aws_gateway_controller" {
|
6 | 6 | count = var.create_role && var.attach_aws_gateway_controller_policy ? 1 : 0
|
7 | 7 |
|
8 |
| - # https://github.com/aws/aws-application-networking-k8s/blob/v0.0.11/examples/recommended-inline-policy.json |
| 8 | + # https://github.com/aws/aws-application-networking-k8s/blob/v1.1.0/files/controller-installation/recommended-inline-policy.json |
9 | 9 | statement {
|
10 | 10 | actions = [
|
11 | 11 | "vpc-lattice:*",
|
12 |
| - "iam:CreateServiceLinkedRole", |
13 | 12 | "ec2:DescribeVpcs",
|
14 | 13 | "ec2:DescribeSubnets",
|
| 14 | + "ec2:DescribeTags", |
| 15 | + "ec2:DescribeSecurityGroups", |
| 16 | + "logs:CreateLogDelivery", |
| 17 | + "logs:GetLogDelivery", |
| 18 | + "logs:DescribeLogGroups", |
| 19 | + "logs:PutResourcePolicy", |
| 20 | + "logs:DescribeResourcePolicies", |
| 21 | + "logs:UpdateLogDelivery", |
| 22 | + "logs:DeleteLogDelivery", |
| 23 | + "logs:ListLogDeliveries", |
| 24 | + "tag:GetResources", |
| 25 | + "firehose:TagDeliveryStream", |
| 26 | + "s3:GetBucketPolicy", |
| 27 | + "s3:PutBucketPolicy", |
15 | 28 | ]
|
16 | 29 | resources = ["*"]
|
17 | 30 | }
|
| 31 | + |
| 32 | + statement { |
| 33 | + actions = ["iam:CreateServiceLinkedRole"] |
| 34 | + resources = ["arn:${local.partition}:iam::*:role/aws-service-role/vpc-lattice.${local.dns_suffix}/AWSServiceRoleForVpcLattice"] |
| 35 | + condition { |
| 36 | + test = "StringLike" |
| 37 | + variable = "iam:AWSServiceName" |
| 38 | + values = ["vpc-lattice.${local.dns_suffix}"] |
| 39 | + } |
| 40 | + } |
| 41 | + |
| 42 | + statement { |
| 43 | + actions = ["iam:CreateServiceLinkedRole"] |
| 44 | + resources = ["arn:${local.partition}:iam::*:role/aws-service-role/delivery.logs.${local.dns_suffix}/AWSServiceRoleForLogDelivery"] |
| 45 | + condition { |
| 46 | + test = "StringLike" |
| 47 | + variable = "iam:AWSServiceName" |
| 48 | + values = ["delivery.logs.${local.dns_suffix}"] |
| 49 | + } |
| 50 | + } |
18 | 51 | }
|
19 | 52 |
|
20 | 53 | resource "aws_iam_policy" "aws_gateway_controller" {
|
|
0 commit comments