Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

terraform: sort permissions

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-04-03 12:10:34 +02:00
parent e3f488839c
commit 63b07ede8a
2 changed files with 123 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
cli/internal/terraform/terraform/iam/aws/main.tf
View File

@ -54,64 +54,64 @@ resource "aws_iam_policy" "control_plane_policy" {
"autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags", "autoscaling:DescribeTags",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DescribeImages",
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions", "ec2:DescribeRegions",
"ec2:DescribeRouteTables", "ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"ec2:DescribeVolumes", "ec2:DescribeVolumes",
"ec2:CreateSecurityGroup", "ec2:DescribeVpcs",
"ec2:CreateTags", "ec2:DetachVolume",
"ec2:CreateVolume",
"ec2:ModifyInstanceAttribute", "ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume", "ec2:ModifyVolume",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress",
"ec2:DescribeVpcs",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"iam:CreateServiceLinkedRole", "iam:CreateServiceLinkedRole",
"kms:DescribeKey", "kms:DescribeKey",
"logs:CreateLogStream",
"logs:DescribeLogGroups", "logs:DescribeLogGroups",
"logs:ListTagsLogGroup", "logs:ListTagsLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents", "logs:PutLogEvents",
"tag:GetResources", "tag:GetResources"
"ec2:DescribeImages"
], ],
"Resource": [ "Resource": [
"*" "*"
@ -162,21 +162,21 @@ resource "aws_iam_policy" "worker_node_policy" {
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeRegions", "ec2:DescribeRegions",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability", "ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer", "ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy", "ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages", "ecr:ListImages",
"ecr:BatchGetImage", "logs:CreateLogStream",
"logs:DescribeLogGroups", "logs:DescribeLogGroups",
"logs:ListTagsLogGroup", "logs:ListTagsLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents", "logs:PutLogEvents",
"tag:GetResources", "tag:GetResources"
"ec2:DescribeImages"
], ],
"Resource": "*" "Resource": "*"
} }

176
docs/docs/getting-started/install.md
View File

@ -112,34 +112,34 @@ If you don't have a cloud subscription, you can try [MiniConstellation](first-st
<tabItem value="azure" label="Azure"> <tabItem value="azure" label="Azure">
The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription: The following [resource providers need to be registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in your subscription:
* `Microsoft.Attestation` \[2]
* `Microsoft.Compute` * `Microsoft.Compute`
* `Microsoft.Insights`
* `Microsoft.ManagedIdentity` * `Microsoft.ManagedIdentity`
* `Microsoft.Network` * `Microsoft.Network`
* `Microsoft.Insights`
* `Microsoft.Attestation` \[2]
By default, Constellation tries to register these automatically if they haven't been registered before. By default, Constellation tries to register these automatically if they haven't been registered before.
To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
* `Microsoft.Authorization/roleDefinitions/*`
* `Microsoft.Authorization/roleAssignments/*`
* `*/register/action` \[1] * `*/register/action` \[1]
* `Microsoft.Authorization/roleAssignments/*`
* `Microsoft.Authorization/roleDefinitions/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*` * `Microsoft.ManagedIdentity/userAssignedIdentities/*`
* `Microsoft.Resources/subscriptions/resourcegroups/*` * `Microsoft.Resources/subscriptions/resourcegroups/*`
The built-in `Owner` role is a superset of these permissions. The built-in `Owner` role is a superset of these permissions.
To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions: To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
* `Microsoft.Attestation/attestationProviders/*` \[2]
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.Insights/components/*` * `Microsoft.Insights/components/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
* `Microsoft.Network/loadBalancers/*`
* `Microsoft.Network/loadBalancers/backendAddressPools/*`
* `Microsoft.Network/networkSecurityGroups/*`
* `Microsoft.Network/publicIPAddresses/*` * `Microsoft.Network/publicIPAddresses/*`
* `Microsoft.Network/virtualNetworks/*` * `Microsoft.Network/virtualNetworks/*`
* `Microsoft.Network/loadBalancers/*`
* `Microsoft.Network/networkSecurityGroups/*`
* `Microsoft.Network/loadBalancers/backendAddressPools/*`
* `Microsoft.Network/virtualNetworks/subnets/*` * `Microsoft.Network/virtualNetworks/subnets/*`
* `Microsoft.Compute/virtualMachineScaleSets/*`
* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
* `Microsoft.Attestation/attestationProviders/*` \[2]
The built-in `Contributor` role is a superset of these permissions. The built-in `Contributor` role is a superset of these permissions.
@ -200,14 +200,14 @@ To [create a Constellation cluster](../workflows/create.md#the-create-step), you
* `compute.instanceGroups.delete` * `compute.instanceGroups.delete`
* `compute.instanceGroups.get` * `compute.instanceGroups.get`
* `compute.instanceGroups.use` * `compute.instanceGroups.use`
* `compute.instanceTemplates.create`
* `compute.instanceTemplates.delete`
* `compute.instanceTemplates.get`
* `compute.instanceTemplates.useReadOnly`
* `compute.instances.create` * `compute.instances.create`
* `compute.instances.setLabels` * `compute.instances.setLabels`
* `compute.instances.setMetadata` * `compute.instances.setMetadata`
* `compute.instances.setTags` * `compute.instances.setTags`
* `compute.instanceTemplates.create`
* `compute.instanceTemplates.delete`
* `compute.instanceTemplates.get`
* `compute.instanceTemplates.useReadOnly`
* `compute.networks.create` * `compute.networks.create`
* `compute.networks.delete` * `compute.networks.delete`
* `compute.networks.get` * `compute.networks.get`
@ -244,27 +244,27 @@ To [create the IAM configuration](../workflows/config.md#creating-an-iam-configu
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"sts:GetCallerIdentity",
"ec2:DescribeAccountAttributes", "ec2:DescribeAccountAttributes",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:CreateInstanceProfile",
"iam:AttachRolePolicy",
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile", "iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole", "iam:PassRole",
"iam:RemoveRoleFromInstanceProfile", "iam:RemoveRoleFromInstanceProfile",
"iam:DetachRolePolicy", "sts:GetCallerIdentity"
"iam:DeleteInstanceProfile",
"iam:ListPolicyVersions",
"iam:ListInstanceProfilesForRole",
"iam:DeletePolicy",
"iam:DeleteRole"
], ],
"Resource": "*" "Resource": "*"
} }
@ -283,76 +283,76 @@ To [create a Constellation cluster](../workflows/create.md#the-create-step), you
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"sts:GetCallerIdentity", "autoscaling:CreateAutoScalingGroup",
"ec2:DescribeAccountAttributes", "autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:SetInstanceProtection",
"autoscaling:UpdateAutoScalingGroup",
"ec2:AllocateAddress", "ec2:AllocateAddress",
"ec2:CreateVpc", "ec2:AssociateRouteTable",
"ec2:CreateTags", "ec2:AttachInternetGateway",
"logs:CreateLogGroup", "ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplate",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNatGateway",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses", "ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplates",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplateVersions",
"logs:ListTagsLogGroup", "ec2:DescribeNatGateways",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcAttribute",
"ec2:DescribeNetworkAcls", "ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables", "ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroups",
"ec2:CreateSubnet",
"ec2:CreateSecurityGroup",
"elasticloadbalancing:CreateTargetGroup",
"ec2:CreateInternetGateway",
"ec2:DescribeSubnets", "ec2:DescribeSubnets",
"elasticloadbalancing:DescribeTargetGroups", "ec2:DescribeVpcAttribute",
"ec2:AttachInternetGateway", "ec2:DescribeVpcClassicLink",
"elasticloadbalancing:ModifyTargetGroupAttributes", "ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeInternetGateways", "ec2:DescribeVpcs",
"autoscaling:CreateAutoScalingGroup",
"iam:PassRole",
"ec2:CreateNatGateway",
"ec2:RevokeSecurityGroupEgress",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:CreateLoadBalancer",
"ec2:DescribeNatGateways",
"elasticloadbalancing:DescribeTags",
"autoscaling:DescribeScalingActivities",
"ec2:CreateRouteTable",
"autoscaling:DescribeAutoScalingGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"logs:DeleteLogGroup",
"elasticloadbalancing:DeleteListener",
"ec2:DisassociateRouteTable",
"autoscaling:UpdateAutoScalingGroup",
"elasticloadbalancing:DeleteLoadBalancer",
"autoscaling:SetInstanceProtection",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteRouteTable",
"ec2:DeleteNatGateway",
"ec2:DetachInternetGateway", "ec2:DetachInternetGateway",
"ec2:DisassociateAddress", "ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ReleaseAddress", "ec2:ReleaseAddress",
"ec2:DeleteInternetGateway", "ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSubnet", "elasticloadbalancing:AddTags",
"autoscaling:DeleteAutoScalingGroup", "elasticloadbalancing:CreateListener",
"ec2:DeleteLaunchTemplate", "elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeleteTargetGroup",
"ec2:DeleteSecurityGroup", "elasticloadbalancing:DescribeListeners",
"ec2:DeleteVpc" "elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy",
"sts:GetCallerIdentity"
], ],
"Resource": "*" "Resource": "*"
} }