From eb07883f04adbf482230f0414e73fa70a19adae5 Mon Sep 17 00:00:00 2001
From: Anders Ingemann <aim@orbit.online>
Date: Mon, 18 Mar 2024 09:50:50 +0100
Subject: [PATCH] aws/cert-manager: Tighten IAM permissions for cert-manager

This change restricts which record types and domain prefixes
cert-manager is allowed to change for DNS01 acme challenges.

Only _acme-challenge.* TXT records may be created/updated/removed.

Implements kubernetes/kops#15680
---
 .../addonmanifests/certmanager/iam.go          | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/pkg/model/components/addonmanifests/certmanager/iam.go b/pkg/model/components/addonmanifests/certmanager/iam.go
index 6df7b747c261e..8861d166ea69d 100644
--- a/pkg/model/components/addonmanifests/certmanager/iam.go
+++ b/pkg/model/components/addonmanifests/certmanager/iam.go
@@ -57,12 +57,24 @@ func addCertManagerPermissions(b *iam.PolicyBuilder, p *iam.Policy) {
 
 	p.Statement = append(p.Statement, &iam.Statement{
 		Effect: iam.StatementEffectAllow,
-		Action: stringorset.Of("route53:ChangeResourceRecordSets",
-			"route53:ListResourceRecordSets",
-		),
+		Action: stringorset.Of("route53:ListResourceRecordSets"),
 		Resource: stringorset.Set(zoneResources),
 	})
 
+	p.Statement = append(p.Statement, &iam.Statement{
+		Effect: iam.StatementEffectAllow,
+		Action: stringorset.Of("route53:ChangeResourceRecordSets"),
+		Resource: stringorset.Set(zoneResources),
+		Condition: iam.Condition{
+			"ForAllValues:StringLike": map[string]interface{}{
+				"route53:ChangeResourceRecordSetsNormalizedRecordNames": []string{"_acme-challenge.*"},
+			},
+			"ForAllValues:StringEquals": map[string]interface{}{
+				"route53:ChangeResourceRecordSetsRecordTypes": []string{"TXT"},
+			},
+		},
+	})
+
 	p.Statement = append(p.Statement, &iam.Statement{
 		Effect:   iam.StatementEffectAllow,
 		Action:   stringorset.Set([]string{"route53:GetChange"}),