EMP-2651, change condition ctx (#56)

* change tagging conditions * change tagging conditions user cft * restrict only on 1 tag
platform9 · Oct 4, 2024 · 0abcf01 · 0abcf01
1 parent 09c4874
commit 0abcf01
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 12 deletions.
diff --git a/emp/emp_role_cftemplate.yaml b/emp/emp_role_cftemplate.yaml
@@ -42,6 +42,7 @@ Resources:
               - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
           - Action:
               # they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              # these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this.
               - ssm:UpdateInstanceInformation
               - ssmmessages:CreateControlChannel
               - ssmmessages:CreateDataChannel
@@ -324,9 +325,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:RequestTag/emp.pf9.io: owned
-              StringLike:
-                aws:RequestTag/emp.pf9.io/baremetalpool: '*'
-                aws:RequestTag/emp.pf9.io/namespace: '*'
           - Action:
               - elasticfilesystem:DescribeFileSystems
               - elasticfilesystem:CreateMountTarget
@@ -338,9 +336,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:ResourceTag/emp.pf9.io: owned
-              StringLike:
-                aws:ResourceTag/emp.pf9.io/namespace: '*'
-                aws:ResourceTag/emp.pf9.io/baremetalpool: '*'
           - Action:
               - elasticfilesystem:TagResource
             Effect: Allow

diff --git a/emp/emp_user_cftemplate.yaml b/emp/emp_user_cftemplate.yaml
@@ -334,9 +334,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:RequestTag/emp.pf9.io: owned
-              StringLike:
-                aws:RequestTag/emp.pf9.io/baremetalpool: '*'
-                aws:RequestTag/emp.pf9.io/namespace: '*'
           - Action:
               - elasticfilesystem:DescribeFileSystems
               - elasticfilesystem:CreateMountTarget
@@ -348,9 +345,6 @@ Resources:
             Condition:
               StringEquals:
                 aws:ResourceTag/emp.pf9.io: owned
-              StringLike:
-                aws:ResourceTag/emp.pf9.io/namespace: '*'
-                aws:ResourceTag/emp.pf9.io/baremetalpool: '*'
           - Action:
               - elasticfilesystem:TagResource
             Effect: Allow