Allow EBS CSI driver role to perform ec2:CreateVolume on snapshots

This is required because AWS is going to start checking permissions on snapshots when creating a volume from one kubernetes-sigs/aws-ebs-csi-driver#2190
alphagov · Dec 18, 2024 · c40328a · c40328a
1 parent 1e7a246
commit c40328a
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf b/terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf
@@ -83,6 +83,18 @@ data "aws_iam_policy_document" "aws_ebs_csi_driver" {
     }
   }
 
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ec2:CreateVolume"
+    ]
+
+    resources = [
+      "arn:*:ec2:*:*:snapshot/*"
+    ]
+  }
+
   statement {
     effect = "Allow"