From 16ab23c2d5f55e9c68edcf02d4c80aebff953ab0 Mon Sep 17 00:00:00 2001
From: Max Xu <xuhuan@live.cn>
Date: Thu, 7 Dec 2023 23:07:14 +0800
Subject: [PATCH 1/2] feat: update permissions for bootstrap role boundry

---
 .../files/bootstrap_role_iam_policy.json.tpl   |  6 ++++--
 .../permission_boundary_iam_policy.json.tpl    | 18 +++---------------
 2 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/modules/aws/files/bootstrap_role_iam_policy.json.tpl b/modules/aws/files/bootstrap_role_iam_policy.json.tpl
index 8b29d16..4be94aa 100644
--- a/modules/aws/files/bootstrap_role_iam_policy.json.tpl
+++ b/modules/aws/files/bootstrap_role_iam_policy.json.tpl
@@ -89,7 +89,8 @@
       "Sid": "ResR53Z",
       "Effect": "Allow",
       "Action": [
-        "route53:ChangeResourceRecordSets"
+        "route53:ChangeResourceRecordSets",
+        "route53:DeleteHostedZone"
       ],
       "Resource": ${r53_zone_arns}
     },
@@ -318,7 +319,8 @@
         "iam:TagInstanceProfile",
         "iam:TagOpenIDConnectProvider",
         "iam:DeletePolicy",
-        "iam:DeletePolicyVersion"
+        "iam:DeletePolicyVersion",
+        "iam:PutRolePolicy"
       ],
       "Resource": [
         "arn:${partition}:iam::${account_id}:role/StreamNative/*",
diff --git a/modules/aws/files/permission_boundary_iam_policy.json.tpl b/modules/aws/files/permission_boundary_iam_policy.json.tpl
index 7dd6530..17a0c04 100644
--- a/modules/aws/files/permission_boundary_iam_policy.json.tpl
+++ b/modules/aws/files/permission_boundary_iam_policy.json.tpl
@@ -13,21 +13,8 @@
           "ecr:*",
           "eks:*",
           "elasticloadbalancing:*",
-          "iam:GetInstanceProfile",
-          "iam:GetOpenIDConnectProvider",
-          "iam:GetPolicy",
-          "iam:GetPolicyVersion",
-          "iam:GetRole",
-          "iam:GetServerCertificate",
-          "iam:ListAttachedRolePolicies",
-          "iam:ListEntitiesForPolicy",
-          "iam:ListInstanceProfile*",
-          "iam:ListOpenIDConnectProvider*",
-          "iam:ListPolicies",
-          "iam:ListPolicyTags",
-          "iam:ListPolicyVersions",
-          "iam:ListRole*",
-          "iam:ListServerCertificates",
+          "iam:Get*",
+          "iam:List*",
           "kms:*",
           "logs:*",
           "route53:*",
@@ -55,6 +42,7 @@
         "iam:DeleteRole",
         "iam:DeleteServiceLinkedRole",
         "iam:DetachRolePolicy",
+        "iam:PutRolePolicy",
         "iam:PutRolePermissionsBoundary",
         "iam:RemoveRoleFromInstanceProfile",
         "iam:SetDefaultPolicyVersion",

From faf0cd01019f7a4fe0c0a2cc0bdc793f101d1cfe Mon Sep 17 00:00:00 2001
From: Max Xu <xuhuan@live.cn>
Date: Sun, 10 Dec 2023 19:36:37 +0800
Subject: [PATCH 2/2] chore: remove duplicated statement

---
 .../files/permission_boundary_iam_policy.json.tpl | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/modules/aws/files/permission_boundary_iam_policy.json.tpl b/modules/aws/files/permission_boundary_iam_policy.json.tpl
index 17a0c04..93337b6 100644
--- a/modules/aws/files/permission_boundary_iam_policy.json.tpl
+++ b/modules/aws/files/permission_boundary_iam_policy.json.tpl
@@ -66,19 +66,6 @@
         "arn:${partition}:iam::${account_id}:server-certificate/*"
       ]
     },
-    {
-      "Sid": "RestrictPassRoleToEKS",
-      "Effect": "Allow",
-      "Action": [
-        "iam:PassRole"
-      ],
-      "Resource": "arn:${partition}:iam::${account_id}:role/${cluster_pattern}",
-      "Condition": {
-        "StringEquals": {
-          "iam:PassedToService": "eks.amazonaws.com"
-        }
-      }
-    },
     {
       "Sid": "AllowedIAMManagedPolicies",
       "Effect": "Allow",
@@ -106,7 +93,7 @@
       }
     },
     {
-      "Sid": "ResPsRlEKS",
+      "Sid": "RestrictPassRoleToEKS",
       "Effect": "Allow",
       "Action": [
         "iam:PassRole"