Skip to content

Commit

Permalink
fix: updated example role and policy
Browse files Browse the repository at this point in the history 
Signed-off-by: sachinmalanki <[email protected]>
  • Loading branch information
@sachinmalanki
sachinmalanki committed Sep 24, 2024
1 parent 06686aa commit 4a45ef6
Show file tree
Hide file tree
Showing 2 changed files with 284 additions and 122 deletions.
193 changes: 138 additions & 55 deletions examples/batch/v1beta1/computeenvironment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,26 +13,24 @@ spec:
matchLabels:
testing.upbound.io/example-name: ecs_instance_role
instanceType:
- c4.large
- c4.large
maxVcpus: 16
minVcpus: 0
placementGroupSelector:
matchLabels:
testing.upbound.io/example-name: sample
securityGroupIds:
- sg-1234567890abcdef0
- sg-1234567890abcdef0
subnets:
- subnet-1234567890abcdef0
- subnet-0987654321fedcba0
- subnet-1234567890abcdef0
- subnet-0987654321fedcba0
type: EC2
region: us-west-1
serviceRoleSelector:
matchLabels:
testing.upbound.io/example-name: aws_batch_service_role
type: MANAGED

---

apiVersion: iam.aws.upbound.io/v1beta1
kind: InstanceProfile
metadata:
Expand All @@ -45,10 +43,8 @@ spec:
forProvider:
roleSelector:
matchLabels:
testing.upbound.io/example-name: ecs_instance_role

testing.upbound.io/example-name: ecs_iam_role
---

apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
Expand All @@ -61,84 +57,76 @@ spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "batch.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
---

apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
annotations:
meta.upbound.io/example-id: batch/v1beta1/computeenvironment
labels:
testing.upbound.io/example-name: ecs_instance_role
testing.upbound.io/example-name: ecs_iam_role
name: ecs-instance-role
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
---

apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
metadata:
annotations:
meta.upbound.io/example-id: batch/v1beta1/computeenvironment
labels:
testing.upbound.io/example-name: aws_batch_service_role
testing.upbound.io/example-name: aws_batch_service_role_attachment
name: aws-batch-service-role
spec:
forProvider:
policyArnSelector:
matchLabels:
testing.upbound.io/example-name: sample_policy
testing.upbound.io/example-name: aws_batch_service_policy
roleSelector:
matchLabels:
testing.upbound.io/example-name: aws_batch_service_role

---

apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
metadata:
annotations:
meta.upbound.io/example-id: batch/v1beta1/computeenvironment
labels:
testing.upbound.io/example-name: ecs_instance_role
testing.upbound.io/example-name: ecs_instance_role_attachment
name: ecs-instance-role
spec:
forProvider:
policyArnSelector:
matchLabels:
testing.upbound.io/example-name: sample_policy
testing.upbound.io/example-name: aws_ecs_service_policy
roleSelector:
matchLabels:
testing.upbound.io/example-name: ecs_instance_role

---

apiVersion: ec2.aws.upbound.io/v1beta1
kind: PlacementGroup
metadata:
Expand All @@ -152,28 +140,123 @@ spec:
region: us-west-1
strategy: cluster
---

apiVersion: iam.aws.upbound.io/v1beta1
kind: Policy
metadata:
annotations:
meta.upbound.io/example-id: iam/v1beta1/role
labels:
testing.upbound.io/example-name: sample_policy
name: sample-user-policy
testing.upbound.io/example-name: aws_batch_service_policy
name: batch-sample-user-policy
spec:
forProvider:
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elastic-inference:Connect",
"Resource": "*"
}
]
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSBatchPolicyStatement1",
"Effect": "Allow",
"Action": [
"ec2:*",
"autoscaling:*",
"ecs:*",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"iam:GetInstanceProfile",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "AWSBatchPolicyStatement2",
"Effect": "Allow",
"Action": "ecs:TagResource",
"Resource": [
"arn:aws:ecs:*:*:task/*_Batch_*"
]
},
{
"Sid": "AWSBatchPolicyStatement3",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"ec2.amazonaws.com.cn",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "AWSBatchPolicyStatement4",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"autoscaling.amazonaws.com",
"ecs.amazonaws.com"
]
}
}
},
{
"Sid": "AWSBatchPolicyStatement5",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
---
apiVersion: iam.aws.upbound.io/v1beta1
kind: Policy
metadata:
annotations:
meta.upbound.io/example-id: iam/v1beta1/role
labels:
testing.upbound.io/example-name: aws_ecs_service_policy
name: ecs-sample-user-policy
spec:
forProvider:
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EcsOperations",
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Sid": "EcrOperations",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
Loading

0 comments on commit 4a45ef6

Please sign in to comment.