From 2f4646e3b213e87c9699d1ec998653a1dfc73d88 Mon Sep 17 00:00:00 2001
From: Aldo Lacuku <aldo@lacuku.eu>
Date: Thu, 18 Jul 2024 10:51:14 +0200
Subject: [PATCH] new(ebs-csi-controller): ad-hoc iam role for
 ebs-csi-controller

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
---
 config/clusters/iam.tf                        | 144 ++++++++++++++++--
 .../ebs-csi-driver/ebs-csi-controller.yaml    |   2 +
 2 files changed, 132 insertions(+), 14 deletions(-)

diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf
index c9de24286d..baf3c7136d 100644
--- a/config/clusters/iam.tf
+++ b/config/clusters/iam.tf
@@ -2,33 +2,149 @@ data "aws_canonical_user_id" "current_user" {}
 
 data "aws_caller_identity" "current" {}
 
+##### EBS CSI controller
+
+module "ebs_csi_controller" {
+  source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version          = "4.1.0"
+  create_role      = true
+  role_name        = "${local.cluster_name}-ebs-csi-controller"
+  provider_url     = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns = [aws_iam_policy.ebs_controller_policy.arn]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:kube-system:ebs-csi-controller-sa",
+  ]
+}
+
+resource "aws_iam_policy" "ebs_controller_policy" {
+  name_prefix = "${local.cluster_name}-ebs-csi-driver"
+  policy      = data.aws_iam_policy_document.ebs_controller_policy_doc.json
+}
+
 data "aws_iam_policy_document" "ebs_controller_policy_doc" {
   statement {
     effect    = "Allow"
     resources = ["*"]
+
     actions = [
-      "ec2:AttachVolume",
       "ec2:CreateSnapshot",
-      "ec2:CreateTags",
-      "ec2:CreateVolume",
-      "ec2:DeleteSnapshot",
-      "ec2:DeleteTags",
-      "ec2:DeleteVolume",
+      "ec2:AttachVolume",
+      "ec2:DetachVolume",
+      "ec2:ModifyVolume",
+      "ec2:DescribeAvailabilityZones",
       "ec2:DescribeInstances",
       "ec2:DescribeSnapshots",
       "ec2:DescribeTags",
       "ec2:DescribeVolumes",
-      "ec2:DetachVolume",
-      "ec2:ModifyVolume",
-      "ec2:DescribeAvailabilityZones",
-      "ec2:DescribeVolumesModifications"
+      "ec2:DescribeVolumesModifications",
     ]
   }
-}
 
-resource "aws_iam_policy" "ebs_controller_policy" {
-  name_prefix = "${local.cluster_name}-ebs-csi-driver"
-  policy      = data.aws_iam_policy_document.ebs_controller_policy_doc.json
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "arn:aws:ec2:*:*:volume/*",
+      "arn:aws:ec2:*:*:snapshot/*",
+    ]
+
+    actions = ["ec2:CreateTags"]
+  }
+
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "arn:aws:ec2:*:*:volume/*",
+      "arn:aws:ec2:*:*:snapshot/*",
+    ]
+
+    actions = ["ec2:DeleteTags"]
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:CreateVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:CreateVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/CSIVolumeName"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/CSIVolumeName"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteVolume"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/kubernetes.io/created-for/pvc/name"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteSnapshot"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/CSIVolumeSnapshotName"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["ec2:DeleteSnapshot"]
+
+    condition {
+      test     = "StringLike"
+      variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
 }
 
 ##### Cluster-autoscaler
diff --git a/config/prow/ebs-csi-driver/ebs-csi-controller.yaml b/config/prow/ebs-csi-driver/ebs-csi-controller.yaml
index 4df685aebe..eb56a95c84 100644
--- a/config/prow/ebs-csi-driver/ebs-csi-controller.yaml
+++ b/config/prow/ebs-csi-driver/ebs-csi-controller.yaml
@@ -4,6 +4,8 @@ kind: ServiceAccount
 metadata:
   labels:
     app.kubernetes.io/name: aws-ebs-csi-driver
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::292999226676:role/falco-prow-test-infra-ebs-csi-controller
   name: ebs-csi-controller-sa
   namespace: kube-system
 ---