From c40328a8811450cec63084a8d4b6f91d8a0d82fe Mon Sep 17 00:00:00 2001
From: Sam Simpson <sam.simpson@digital.cabinet-office.gov.uk>
Date: Wed, 18 Dec 2024 11:25:42 +0000
Subject: [PATCH] Allow EBS CSI driver role to perform ec2:CreateVolume on
 snapshots

This is required because AWS is going to start checking permissions on snapshots when creating a volume from one

https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/2190
---
 .../cluster-infrastructure/aws_ebs_csi_iam.tf        | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf b/terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf
index 25fa648a4..03a84e840 100644
--- a/terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf
+++ b/terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf
@@ -83,6 +83,18 @@ data "aws_iam_policy_document" "aws_ebs_csi_driver" {
     }
   }
 
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ec2:CreateVolume"
+    ]
+
+    resources = [
+      "arn:*:ec2:*:*:snapshot/*"
+    ]
+  }
+
   statement {
     effect = "Allow"