From 224c74f8838fcbdd253cf29cf4052d80f1647264 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Thu, 22 Jun 2023 14:15:05 +0200
Subject: [PATCH] csi: aws csi driver policies (#1945)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* add required disk permissions

* update worker node policy for ebs

* Revert "update worker node policy for ebs"

This reverts commit 9c24d374e0b30bc8970e00978462fb36ee6acd4f.

* attach aws managed role instead

* add TODO comment

* remove duplicate role attachment

* Update cli/internal/terraform/terraform/iam/aws/main.tf

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
---
 cli/internal/terraform/terraform/iam/aws/main.tf | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cli/internal/terraform/terraform/iam/aws/main.tf b/cli/internal/terraform/terraform/iam/aws/main.tf
index acf86a5c7..73d7135d4 100644
--- a/cli/internal/terraform/terraform/iam/aws/main.tf
+++ b/cli/internal/terraform/terraform/iam/aws/main.tf
@@ -197,7 +197,6 @@ resource "aws_iam_role_policy_attachment" "attach_worker_node_policy" {
   policy_arn = aws_iam_policy.worker_node_policy.arn
 }
 
-
 // Add all permissions here, which are needed by the bootstrapper
 resource "aws_iam_policy" "constellation_bootstrapper_policy" {
   name   = "${var.name_prefix}_constellation_bootstrapper_policy"
@@ -226,3 +225,15 @@ resource "aws_iam_role_policy_attachment" "attach_bootstrapper_policy_control_pl
   role       = aws_iam_role.control_plane_role.name
   policy_arn = aws_iam_policy.constellation_bootstrapper_policy.arn
 }
+
+// TODO(msanft): incorporate this into the custom worker node policy
+resource "aws_iam_role_policy_attachment" "csi_driver_policy_worker" {
+  role       = aws_iam_role.worker_node_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+}
+
+// TODO(msanft): incorporate this into the custom control-plane node policy
+resource "aws_iam_role_policy_attachment" "csi_driver_policy_control_plane" {
+  role       = aws_iam_role.control_plane_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+}