Switch to managed EBS driver policy

spack · Oct 8, 2024 · ef5ed3c · ef5ed3c
1 parent f381f90
commit ef5ed3c
Showing 1 changed file with 4 additions and 136 deletions.
diff --git a/terraform/modules/spack_aws_k8s/eks.tf b/terraform/modules/spack_aws_k8s/eks.tf
@@ -165,142 +165,10 @@ resource "aws_iam_role" "ebs_csi_driver" {
   })
 }
 
-resource "aws_iam_role_policy" "ebs_csi_driver" {
-  name = "AmazonEKS_EBS_CSI_DriverPolicy-${var.deployment_name}"
-  role = aws_iam_role.ebs_csi_driver.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:CreateSnapshot",
-          "ec2:AttachVolume",
-          "ec2:DetachVolume",
-          "ec2:ModifyVolume",
-          "ec2:DescribeAvailabilityZones",
-          "ec2:DescribeInstances",
-          "ec2:DescribeSnapshots",
-          "ec2:DescribeTags",
-          "ec2:DescribeVolumes",
-          "ec2:DescribeVolumesModifications"
-        ],
-        "Resource" : "*"
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:CreateTags"
-        ],
-        "Resource" : [
-          "arn:aws:ec2:*:*:volume/*",
-          "arn:aws:ec2:*:*:snapshot/*"
-        ],
-        "Condition" : {
-          "StringEquals" : {
-            "ec2:CreateAction" : [
-              "CreateVolume",
-              "CreateSnapshot"
-            ]
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DeleteTags"
-        ],
-        "Resource" : [
-          "arn:aws:ec2:*:*:volume/*",
-          "arn:aws:ec2:*:*:snapshot/*"
-        ]
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:CreateVolume"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "aws:RequestTag/ebs.csi.aws.com/cluster" : "true"
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:CreateVolume"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "aws:RequestTag/CSIVolumeName" : "*"
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DeleteVolume"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DeleteVolume"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "ec2:ResourceTag/CSIVolumeName" : "*"
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DeleteVolume"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*"
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DeleteSnapshot"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "ec2:ResourceTag/CSIVolumeSnapshotName" : "*"
-          }
-        }
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DeleteSnapshot"
-        ],
-        "Resource" : "*",
-        "Condition" : {
-          "StringLike" : {
-            "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true"
-          }
-        }
-      }
-    ]
-  })
+resource "aws_iam_policy_attachment" "ebs_csi_driver" {
+  name       = "AmazonEKS_EBS_CSI_Driver-${var.deployment_name}"
+  roles      = [aws_iam_role.ebs_csi_driver.name]
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" # AWS managed policy
 }
 
 resource "aws_iam_role" "efs_csi_driver" {