davad/argo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

chore(work): add Crossplane examples

Browse source
This commit is contained in:
David Landry 2025-03-05 13:02:36 -05:00
parent c3edbddce8
commit 31a9a4ce92
10 changed files with 375 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

23
bootstrap/crossplane/iam-examples/CognitoManagement-README.md Normal file
View file

@ -0,0 +1,23 @@
I'm not sure what permissions are needed to create a UserPool. There is
no AWS managed policies for creating/updating/deleting a UserPool. In the
description of one of the managed Cognito policies, it says:
> You will need AWS account admin privileges to create new Cognito resources.
For my testing, I used the AdministratorAccess managed policy.
To follow the principle of least privilege, it's not clear which actions
Crossplane needs access to it. Here is a list of some areas that it might
touch:
* cognito-identity
* cognito-ip
* cognito-sync
* iam
* kinesis
* lambda
* sns
* ses
* mobiletargeting
* acm
* sms-voice

18
bootstrap/crossplane/iam-examples/CognitoManagement-role.json Normal file
View file

@ -0,0 +1,18 @@
{
"Role": {
"Path": "/",
"RoleName": "CognitoManagementRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/CrossplaneServiceRole"
},
"Action": "sts:AssumeRole"
}
]
}
}
}

24
bootstrap/crossplane/iam-examples/CrossplaneServiceRole.json Normal file
View file

@ -0,0 +1,24 @@
{
"Role": {
"Path": "/",
"RoleName": "CrossplaneServiceRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY:sub": "system:serviceaccount:NAMESPACE:SERVICEACCOUNTNAME",
"oidc.eks.us-east-1.amazonaws.com/id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY:aud": "sts.amazonaws.com"
}
}
}
]
}
}
}

61
bootstrap/crossplane/iam-examples/S3Manage-policy.json Normal file
View file

@ -0,0 +1,61 @@
{
"RoleName": "S3Manage",
"PolicyName": "s3-readwrite-masos-buckets",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:GetObjectVersionTagging",
"s3:RestoreObject",
"s3:PutObjectVersionTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::masos-XXXXXXX-*/*"
},{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketLogging",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketCORS",
"s3:GetBucketAcl",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:GetEncryptionConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetBucketCORS",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketObjectLockConfiguration",
"s3:GetBucketLocation",
"s3:DeleteBucket",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::masos-XXXXXXX-*"
}
]
}
}

18
bootstrap/crossplane/iam-examples/S3Manage-role.json Normal file
View file

@ -0,0 +1,18 @@
{
"Role": {
"Path": "/",
"RoleName": "S3Manage",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/CrossplaneServiceRole"
},
"Action": "sts:AssumeRole"
}
]
}
}
}