From 1bc058c749081f37a67a5d08d24b1fcec449e2f2 Mon Sep 17 00:00:00 2001
From: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
Date: Tue, 22 Oct 2024 10:43:31 +1100
Subject: [PATCH] feat: Update AWS EBS CSI Driver IAM Policy (#530)

---
 modules/iam-role-for-service-accounts-eks/policies.tf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index 20a087d7..c8d34105 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -200,7 +200,7 @@ data "aws_iam_policy_document" "ebs_csi" {
 
   statement {
     actions   = ["ec2:CreateVolume"]
-    resources = ["*"]
+    resources = ["arn:aws:ec2:*:*:volume/*"]
 
     condition {
       test     = "StringLike"
@@ -213,7 +213,7 @@ data "aws_iam_policy_document" "ebs_csi" {
 
   statement {
     actions   = ["ec2:CreateVolume"]
-    resources = ["*"]
+    resources = ["arn:aws:ec2:*:*:volume/*"]
 
     condition {
       test     = "StringLike"
@@ -233,6 +233,11 @@ data "aws_iam_policy_document" "ebs_csi" {
     }
   }
 
+  statement {
+    actions   = ["ec2:CreateVolume"]
+    resources = ["arn:aws:ec2:*:*:snapshot/*"]
+  }
+
   statement {
     actions   = ["ec2:DeleteVolume"]
     resources = ["*"]