From b23f55fb1a6fffd6636be30807acbf39adf1b0a7 Mon Sep 17 00:00:00 2001
From: Eric Lake <ericlake@gmail.com>
Date: Wed, 10 Nov 2021 20:24:46 -0600
Subject: [PATCH] fix: Update iam policy document (#7)

We have found that when using the permissions currently in the
efs_csi_driver that the pods are unable to mount the EFS filesystem.
Adding the permissions listed in this PR allowed the access to function
successfully.

A sample error message was
```
Unauthorized to perform operation DescribeAvailabilityZones.
```
---
 iam.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/iam.tf b/iam.tf
index e6f9ce1..9b8a055 100644
--- a/iam.tf
+++ b/iam.tf
@@ -4,7 +4,9 @@ data "aws_iam_policy_document" "efs_csi_driver" {
   statement {
     actions = [
       "elasticfilesystem:DescribeAccessPoints",
-      "elasticfilesystem:DescribeFileSystems"
+      "elasticfilesystem:DescribeFileSystems",
+      "elasticfilesystem:DescribeMountTargets",
+      "ec2:DescribeAvailabilityZones"
     ]
     resources = ["*"]
     effect    = "Allow"