Add new policy creation for shared vpc

openshift-online · Jan 24, 2025 · ef88924 · ef88924
1 parent e5cc7b3
commit ef88924
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/pkg/aws/aws_client/role.go b/pkg/aws/aws_client/role.go
@@ -463,6 +463,33 @@ func (client *AWSClient) CreatePolicyForSharedVPC(policyName string) (string, er
 	return client.CreatePolicy(policyName, statement)
 }
 
+func (client *AWSClient) CreatePolicyForSharedVPCEndpoint(policyName string) (string, error) {
+	statement := map[string]interface{}{
+		"Sid":    "Statement1",
+		"Effect": "Allow",
+		"Action": []string{
+			"ec2:CreateVpcEndpoint",
+			"ec2:DescribeVpcEndpoints",
+			"ec2:ModifyVpcEndpoint",
+			"ec2:DeleteVpcEndpoints",
+			"ec2:CreateTags",
+			"ec2:CreateSecurityGroup",
+			"ec2:AuthorizeSecurityGroupIngress",
+			"ec2:AuthorizeSecurityGroupEgress",
+			"ec2:DeleteSecurityGroup",
+			"ec2:RevokeSecurityGroupIngress",
+			"ec2:RevokeSecurityGroupEgress",
+			"ec2:DescribeSecurityGroups",
+			"ec2:DescribeVpcs",
+			"route53:ListHostedZones",
+			"route53:ChangeResourceRecordSets",
+			"route53:ListResourceRecordSets",
+		},
+		"Resource": "*",
+	}
+	return client.CreatePolicy(policyName, statement)
+}
+
 func (client *AWSClient) CreateRoleForAdditionalPrincipals(roleName string, installerRoleArn string) (types.Role, error) {
 	statement := map[string]interface{}{
 		"Sid":    "Statement1",