feat: Update VPC CNI IPv4 policy to use scoped policy

aws_vpc_cni.tf

@@ -9,26 +9,106 @@ data "aws_iam_policy_document" "vpc_cni" {
   source_policy_documents   = [data.aws_iam_policy_document.base[0].json]
   override_policy_documents = var.override_policy_documents
 
-  # arn:${local.partition}:iam::aws:policy/AmazonEKS_CNI_Policy
+  statement {
+    actions   = ["ec2:CreateTags"]
+    resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
+  }
+
+  # https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#sample-scope-down-iam-policy-for-ipv4-mode
   dynamic "statement" {
     for_each = var.aws_vpc_cni_enable_ipv4 ? [1] : []
 
     content {
-      sid = "IPV4"
       actions = [
-        "ec2:AssignPrivateIpAddresses",
-        "ec2:AttachNetworkInterface",
-        "ec2:CreateNetworkInterface",
-        "ec2:DeleteNetworkInterface",
         "ec2:DescribeInstances",
         "ec2:DescribeTags",
         "ec2:DescribeNetworkInterfaces",
         "ec2:DescribeInstanceTypes",
+      ]
+      resources = ["*"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.aws_vpc_cni_enable_ipv4 ? [1] : []
+
+    content {
+      actions   = ["ec2:CreateNetworkInterface"]
+      resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:RequestTag/eks-cluster-arn"
+        values   = ["$${aws:PrincipalTag/eks-cluster-arn}"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.aws_vpc_cni_enable_ipv4 ? [1] : []
+
+    content {
+      actions = ["ec2:CreateNetworkInterface"]
+      resources = [
+        "arn:${local.partition}:ec2:*:*:subnet/*",
+        "arn:${local.partition}:ec2:*:*:security-group/*"
+      ]
+
+      condition {
+        test     = "ArnLike"
+        variable = "ec2:Vpc"
+        values   = ["arn:aws:ec2:*:*:vpc/*"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.aws_vpc_cni_enable_ipv4 ? [1] : []
+
+    content {
+      actions = [
+        "ec2:DeleteNetworkInterface",
+        "ec2:UnassignPrivateIpAddresses",
+        "ec2:AssignPrivateIpAddresses",
+        "ec2:AttachNetworkInterface",
         "ec2:DetachNetworkInterface",
         "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:UnassignPrivateIpAddresses",
       ]
-      resources = ["*"]
+      resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:ResourceTag/eks-cluster-arn"
+        values   = ["$${aws:PrincipalTag/eks-cluster-arn}"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.aws_vpc_cni_enable_ipv4 ? [1] : []
+
+    content {
+      actions = [
+        "ec2:AttachNetworkInterface",
+        "ec2:DetachNetworkInterface",
+        "ec2:ModifyNetworkInterfaceAttribute",
+      ]
+      resources = ["arn:${local.partition}:ec2:*:*:instance/*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:ResourceTag/eks-cluster-arn"
+        values   = ["$${aws:PrincipalTag/eks-cluster-arn}"]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.aws_vpc_cni_enable_ipv4 ? [1] : []
+
+    content {
+      actions   = ["ec2:ModifyNetworkInterfaceAttribute"]
+      resources = ["arn:${local.partition}:ec2:*:*:security-group/*"]
     }
   }
 
@@ -37,7 +117,6 @@ data "aws_iam_policy_document" "vpc_cni" {
     for_each = var.aws_vpc_cni_enable_ipv6 ? [1] : []
 
     content {
-      sid = "IPV6"
       actions = [
         "ec2:AssignIpv6Addresses",
         "ec2:DescribeInstances",
@@ -48,12 +127,6 @@ data "aws_iam_policy_document" "vpc_cni" {
       resources = ["*"]
     }
   }
-
-  statement {
-    sid       = "CreateTags"
-    actions   = ["ec2:CreateTags"]
-    resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]
-  }
 }
 
 locals {