csi: aws csi driver policies (#1945)

* add required disk permissions * update worker node policy for ebs * Revert "update worker node policy for ebs" This reverts commit 9c24d374e0b30bc8970e00978462fb36ee6acd4f. * attach aws managed role instead * add TODO comment * remove duplicate role attachment * Update cli/internal/terraform/terraform/iam/aws/main.tf Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-02-02 02:24:56 -05:00 · 2023-06-22 14:15:05 +02:00 · 2023-06-22 14:15:05 +02:00 · 224c74f883
commit 224c74f883
parent 4546912f11
1 changed files with 12 additions and 1 deletions
--- a/cli/internal/terraform/terraform/iam/aws/main.tf
+++ b/cli/internal/terraform/terraform/iam/aws/main.tf
@ -197,7 +197,6 @@ resource "aws_iam_role_policy_attachment" "attach_worker_node_policy" {
  policy_arn = aws_iam_policy.worker_node_policy.arn
 }

-
 // Add all permissions here, which are needed by the bootstrapper
 resource "aws_iam_policy" "constellation_bootstrapper_policy" {
  name   = "${var.name_prefix}_constellation_bootstrapper_policy"
@ -226,3 +225,15 @@ resource "aws_iam_role_policy_attachment" "attach_bootstrapper_policy_control_pl
  role       = aws_iam_role.control_plane_role.name
  policy_arn = aws_iam_policy.constellation_bootstrapper_policy.arn
 }
+
+// TODO(msanft): incorporate this into the custom worker node policy
+resource "aws_iam_role_policy_attachment" "csi_driver_policy_worker" {
+  role       = aws_iam_role.worker_node_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+}
+
+// TODO(msanft): incorporate this into the custom control-plane node policy
+resource "aws_iam_role_policy_attachment" "csi_driver_policy_control_plane" {
+  role       = aws_iam_role.control_plane_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+}